Proximity-based system for automatic application or data access and item tracking

ABSTRACT

A system and method provide automatic access to applications or data. A portable physical device, referred to herein as a Personal Digital Key or “PDK”, stores one or more profiles in memory, including a biometric profile acquired in a secure trusted process and uniquely associated with a user that is authorized to use and associated with the PDK. The PDK wirelessly transmits identification information including a unique PDK identification number, the biometric profile and a profile over a secure wireless channel to a reader. A computing device is coupled to the reader. An auto login server is coupled to the reader and the computing device and launches one or more applications associated with a user name identified by the received profile.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Patent Application No.61/314,032, filed Mar. 15, 2010, the entire contents of which areincorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of Art

This disclosure generally relates to the field of radio frequencyidentification (RFID) and electronic authentication, and morespecifically, to systems and methods for automatic and secureauthentication of users.

2. Description of the Related Art

Optimizing patient care is an ever-changing and challenging endeavor.Ensuring quality patient care that is safe, efficient and cost-effectiveis very important to patients, as well as healthcare providers.Conventional technologies used in the healthcare industry for aidingprovider patient care, monitoring patient treatment, receiving andretrieving patient data and monitoring provider activity have not yetprovided optimal features to meet these needs. Recently, softwareapplication systems have been developed in an attempt to improve patientcare and provider performance.

Currently, many healthcare facilities utilize electronic software andapplications to securely store and efficiently access private patientinformation. In many healthcare institutions, healthcare providersaccess patient electronic records with authorized entry into thehealthcare software application system. In most conventional systems,providers are provided with a unique user name and password that theymust enter into a system each time they need to access patientinformation. Further, when a healthcare provider is done accessingpatient records, the healthcare provider must log out of the system toensure that unauthorized use does not occur. The process of logging inand logging off each time may prove to be quite time-consuming given thenumber of patients a provider visits in a given day.

Another problem for many healthcare facilities is making sure thatequipment is deployed in a manner that maximizes their usage andavailability. For example, in many hospitals the location of equipmentis not tracked and monitored other than during an annual equipmentinventory. Thus, healthcare providers may not be aware of the preciselocation of equipment or know when equipment is currently in use. Thus,conventional methods provided limited ability to track the location ofequipment.

BRIEF SUMMARY OF THE INVENTION

A system and method provides automatic access to applications or datawhile maintaining application or data security. A portable physicaldevice, referred to herein as a Personal Digital Key or “PDK”, storesone or more profiles uniquely associated with a user in a memory. In oneembodiment, one of the profiles is a biometric profile that is acquiredin a secure trusted process and is uniquely associated with a userauthorized to use the PDK and associated with the PDK. A readerwirelessly communicates with the PDK and receives a profile from thePDK. A computing device is coupled to the reader and displays data on adisplay device responsive to receiving data associated with the profilefrom the reader. Additionally, an auto login sever is coupled to thecomputing device and to the reader and the auto login server receivesthe profile from the reader and launches, on the computing device, oneor more applications associated with a user name identified by theprofile.

In one embodiment, the reader acquires a biometric input from the userassociated. The biometric input can be acquired by, for example, afingerprint scan, iris scan, retinal scan, palm scan, face scan, DNAanalysis, signature analysis, voice analysis or any other inputmechanism that provides physical or behavioral characteristics uniquelyassociated with the individual. The reader compares the biometricprofile received from the PDK to the biometric input acquired from theuser to determine if an application should be launched or if data accessis authorized.

The features and advantages described in the specification are not allinclusive and, in particular, many additional features and advantageswill be apparent to one of ordinary skill in the art in view of thedrawings, specification, and claims. Moreover, it should be noted thatthe language used in the specification has been principally selected forreadability and instructional purposes, and may not have been selectedto delineate or circumscribe the disclosed subject matter.

BRIEF DESCRIPTION OF DRAWINGS

The disclosed embodiments have other advantages and features which willbe more readily apparent from the detailed description, the appendedclaims, and the accompanying figures (or drawings). A brief introductionof the figures is below.

FIG. 1 is a block diagram illustrating a system for securelyauthenticating an individual for accessing data or one or moreapplications in accordance with the present invention.

FIG. 2 is a block diagram illustrating one embodiment of a localservices module in accordance with the present invention.

FIG. 3 is a block diagram illustrating one embodiment of a PersonalDigital Key (PDK) in accordance with the present invention.

FIG. 4 is a block diagram illustrating one embodiment of a biometricreader of a PDK in accordance with the present invention.

FIG. 5 is a block diagram illustrating one embodiment of a reader inaccordance with the present invention.

FIG. 6 is a block diagram illustrating one embodiment of a computingdevice in accordance with the present invention.

FIG. 7 is a flowchart of a method for authorizing a communicationconnection using secure authentication in accordance with the presentinvention.

FIG. 8 is a flowchart of a method for device authentication by a readerin accordance with the present invention.

FIG. 9 is a flowchart of a method for profile authentication by a readerin accordance with the present invention.

FIG. 10A is a flowchart of a method for biometric authentication inaccordance with the present invention.

FIG. 10B is a flowchart of a method for profile testing using a personalidentification number in accordance with the present invention.

FIG. 10C is a flowchart of a method for profile testing using a pictureprofile in accordance with the present invention.

FIG. 10D is a flowchart of a method for profile testing using a privateor central registry in accordance with the present invention.

FIG. 11A illustrates an example scenario of a reader operating withmultiple PDKs in its proximity zone in accordance with the presentinvention.

FIG. 11B illustrates an example scenario of operation of a reader with adirectional proximity zone in an environment with multiple PDKs inaccordance with the present invention.

FIG. 12 is a flowchart of a method for differentiating between multiplePDKs within the proximity zone of a reader in accordance with thepresent invention.

FIG. 13 is a block diagram of a system for estimating location of a PDKusing coordinate triangulation in accordance with the present invention.

FIG. 14 is a block diagram of an alternative system for locationtracking of a PDK in accordance with the present invention.

FIG. 15 is a block diagram of a tracking server in accordance with thepresent invention.

FIG. 16 is a flowchart of a method for tracking assets or users inaccordance with the present invention.

FIG. 17 is a block diagram of an auto login server in accordance withthe present invention.

FIG. 18 is a flowchart of a method for automatic login of a user inaccordance with the present invention.

FIG. 19 is a flowchart of a method for automatically allowing access toone or more applications in accordance with the present invention.

FIG. 20 is a flowchart of a method for identifying one or moreapplications launched when a user is within the proximity zone of areader in accordance with the present invention.

FIG. 21 is a flowchart of a method for locking a computing devicecoupled to a reader responsive to a PDK exiting the proximity zone ofthe reader in accordance with the present invention.

FIG. 23 is a block diagram of a portal server in accordance with thepresent invention.

FIG. 24 is a flowchart of a method for communicating with remoteservices provided by a third party site in accordance with the presentinvention.

FIG. 25 is a flow chart of a method for initially storing data on a PDKin accordance with the present invention.

FIG. 26 is an example user interface for configuring user informationassociated with a PDK in accordance with the present invention.

FIG. 27 is an example user interface for configuring asset informationassociated with a PDK in accordance with the present invention.

FIG. 28 is an example user interface for manually identifying assets orusers included in a group in accordance with the present invention.

FIG. 29 is an example user interface for automatically identifyingassets or users included in a group in accordance with the presentinvention.

FIG. 30 is an example user interface for tracking a user or an assetassociated with a PDK in accordance with the present invention.

FIG. 31 is an example user interface for identifying the location of atracked user or asset associated with a PDK in accordance with thepresent invention.

FIG. 32 is an example user interface for describing an alert for atracked user or asset in accordance with the present invention.

FIG. 33 is an example user interface for describing a report for atracked user or asset in accordance with the present invention.

The figures depict various embodiments of the present invention forpurposes of illustration only. One skilled in the art will readilyrecognize from the following discussion that alternative embodiments ofthe structures and methods illustrated herein may be employed withoutdeparting from the principles of the invention described herein.

DETAILED DESCRIPTION

A system and method for transitioning between pages using an electronicpaper display (EPD) are described. In the following description, forpurposes of explanation, numerous specific details are set forth inorder to provide a thorough understanding of the invention. It will beapparent, however, to one skilled in the art that the invention can bepracticed without these specific details. In other instances, structuresand devices are shown in block diagram form in order to avoid obscuringthe invention. For example, the present embodiment of invention isdescribed in one embodiment below with reference to portable computingdevices that are exemplified in a hardware and software platform usingelectronic paper, e-paper or electronic ink display. However, thepresent embodiment of invention applies to any type of portablecomputing device that can capture ink, data and commands, and senddocuments electronically.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment is included in at least one embodimentof the invention. The appearances of the phrase “in one embodiment” invarious places in the specification are not necessarily all referring tothe same embodiment. In particular the present embodiment of inventionis described below in the content of two distinct architectures and someof the components are operable in both architectures while others arenot.

Some portions of the detailed descriptions that follow are presented interms of algorithms and symbolic representations of operations on databits within a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the following discussion,it is appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or the like, refer to the action andprocesses of a computer system, or similar electronic computing device,that manipulates and transforms data represented as physical(electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

The present embodiment of invention also relates to an apparatus forperforming the operations herein. This apparatus may be speciallyconstructed for the required purposes, or it may comprise ageneral-purpose computer selectively activated or reconfigured by acomputer program stored in the computer. Such a computer program may bestored in a computer readable storage medium, such as, but is notlimited to, any type of disk including floppy disks, optical disks,CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), randomaccess memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, orany type of media suitable for storing electronic instructions, eachcoupled to a computer system bus.

The invention can take the form of an entirely hardware embodiment, anentirely software embodiment or an embodiment containing both hardwareand software elements. In a preferred embodiment, the invention isimplemented in software, which includes but is not limited to firmware,resident software, microcode, etc.

Furthermore, the invention can take the form of a computer programproduct accessible from a computer-usable or computer-readable mediumproviding program code for use by or in connection with a computer orany instruction execution system. For the purposes of this description,a computer-usable or computer readable medium can be any apparatus thatcan contain, store, communicate, propagate, or transport the program foruse by or in connection with the instruction execution system,apparatus, or device.

The medium can be an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system (or apparatus or device) or apropagation medium. Examples of a computer-readable medium include asemiconductor or solid state memory, magnetic tape, a removable computerdiskette, a random access memory (RAM), a read-only memory (ROM), arigid magnetic disk and an optical disk. Current examples of opticaldisks include compact disk-read only memory (CD-ROM), compactdisk-read/write (CD-R/W) and DVD.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a system bus. The memory elements can includelocal memory employed during actual execution of the program code, bulkstorage, and cache memories which provide temporary storage of at leastsome program code in order to reduce the number of times code must beretrieved from bulk storage during execution.

Input/output or I/O devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening I/O controllers.

Network adapters may also be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems orremote printers or storage devices through intervening private or publicnetworks. Modems, cable modem and Ethernet cards are just a few of thecurrently available types of network adapters.

Finally, the algorithms and displays presented herein are not inherentlyrelated to any particular computer or other apparatus. Variousgeneral-purpose systems may be used with programs in accordance with theteachings herein, or it may prove convenient to construct morespecialized apparatus to perform the required method steps. The requiredstructure for a variety of these systems will appear from thedescription below. In addition, the present embodiment of invention isdescribed with reference to a particular programming language. It willbe appreciated that a variety of programming languages may be used toimplement the teachings of the invention as described herein.

FIG. 1 is a high level block diagram illustrating a system for securelyauthenticating an individual for accessing data or one or moreapplications. The system 100 comprises a Personal Digital Key (PDK) 102,a Reader 108, a network 110, a computing device 120, a local servicesmodule 124, a third party link module 126, a record system 128, anetwork 130 and a third party site 140. The Reader 108 is coupled to PDK102 by a wireless link 106 and coupled to a network 110 by either awired or wireless link represented by lines 152 and 154. The Reader 108is also adapted to receive a biometric input 122 from a user and iscapable of displaying status to a user. The PDK 102 is also adapted toreceive biometric input 122 from a user. The network 110 couples thelocal services module 124 and third party link module 126 to the Reader108. The network 110 also couples the local servers 124 and third partylink module 126 to the record system 128 via signal lines 158 and 160.In alternative embodiments, different or additional external services,registries or databases (not shown) are coupled to the network 110. Inanother embodiment, the Reader 108 operates as a standalone devicewithout a connection to the network 110. The network 130 couples thethird party link module 126 to the third party site 140 and servicesprovided by the third party site 140, such as pharmacy services,insurance services or lab services.

The system 100 addresses applications where it is important to ensure aspecific individual is authorized to perform a given transaction. Atransaction as used herein include executing a purchase or financialdealing, enabling access to physical and/or digital items, providingidentification or personal information or executing other tasks where itis important to authenticate an individual for use. In one embodiment,the Reader 108 wirelessly receives information stored in the PDK 102that uniquely identifies the PDK 102 and the individual carrying the PDK102. In another embodiment, the Reader 108 also receives a biometricinput 122 from the individual. For example, the Reader 108 receives afingerprint, a retinal scan, an iris scan, a facial scan or any othersuitable biometric input associated with the individual. The PDK 102 canalso receive biometric input 122 from the individual. Based on thereceived information, the Reader 108 determines if the transactionshould be authorized. Beneficially, the system 100 providescomprehensive authentication without the need for PINs or passwords.Moreover, personal biometric information need not be stored in any localor remote storage database and is only stored on the user's own PDK 102.Furthermore, in one embodiment, purchase transactions can be efficientlycompleted without requiring the use of physical credit cards, tokens orother user action beyond initiating the transaction.

The PDK 102 is a compact, portable uniquely identifiable wireless devicetypically carried by an individual or affixed to an object or device.The PDK 102 stores digital information in a tamper-proof format uniquelyassociating the PDK 102 with an individual. Example embodiments of PDKsare described in more detail in U.S. patent application Ser. No.11/292,330, entitled “Personal Digital Key And Receiver/Decoder CircuitSystem And Method” filed on Nov. 30, 2005; U.S. patent application Ser.No. 11/620,581 entitled “Wireless Network Synchronization Of Cells AndClient Devices On A Network” filed on Jan. 5, 2007; and U.S. patentapplication Ser. No. 11/620,577 entitled “Dynamic Real-Time TieredClient Access” filed on Jan. 5, 2007, the entire contents of which areall incorporated herein by reference.

To establish the trust, credibility and confidence of the authenticationsystem, information stored in the PDK 102 is acquired by a process thatis trusted, audited and easily verified. The process is ensured by atrusted third-party system, referred to herein as a “Notary,” thatadministers the acquisition and storage of information in the PDK 102according to defined security protocols. In one embodiment, the Notaryis a system and/or a trusted individual that witnesses the acquisitionand storage either in person or remotely. In another embodiment, theNotary comprises trusted hardware that administers the initializationprocess by an automated system. Thus, once initialized by the trustedprocess, the PDK 102 can prove that the information it stores is that ofthe individual. Example embodiments of the initialization process aredescribed in U.S. patent application Ser. No. 11/744,832 to John Giobbi,et al., entitled “Personal Digital Key Initialization and RegistrationFor Secure Transaction” filed on May 5, 2007, the entire contents ofwhich are incorporated herein by reference.

The Reader 108 wirelessly communicates with the PDK 102 when the PDK 102is within a proximity zone of the Reader 108. The proximity zone can be,for example, several meters in radius and can be adjusted dynamically bythe Reader 108. Thus, in contrast to many conventional radio frequencyidentification (RFID) devices, the Reader 108 is able to detect andcommunicate with the PDK 102 without requiring an individual using, orassociated with the PDK 102, to remove the PDK 102 from his/her pocket,wallet, purse, etc. Generally, the Reader 108 receives uniquelyidentifying information from the PDK 102 and initiates an authenticationprocess for the individual carrying the PDK 102. In one embodiment, theReader 108 is adapted to receive a biometric input 122 from theindividual. The biometric input 122 comprises a representation ofphysical or behavioral characteristics unique to the individual. Forexample, the biometric input 122 can include a fingerprint, a palmprint, a retinal scan, an iris scan, a photograph, a signature, a voicesample or any other biometric information such as DNA, RNA or theirderivatives that can uniquely identify the individual. The Reader 108compares the biometric input 122 to information received from the PDK102 to determine if a transaction should be authorized. Alternatively,the biometric input 122 can be obtained by a biometric reader 470 (FIG.4) on the PDK 102 and transmitted to the Reader 108 for authentication.In additional alternative embodiment, some or all of the authenticationprocess can be performed by the PDK 102 instead of the Reader 108.

The Reader 108 is further communicatively coupled to the network 110 inorder to receive and/or transmit information to remote databases forremote authentication. In an alternative embodiment, the Reader 108includes a non-volatile data storage that can be synchronized with oneor more remote databases 112 or registries 114, 116 a, 116 b (FIG. 2).Such an embodiment alleviates the need for a continuous connection tothe network 110 and allows the Reader 108 to operate in a standalonemode and for the local data storage to be updated when a connection isavailable. For example, a standalone Reader 108 can periodicallydownload updated registry entries and perform authentication locallywithout any remote lookup.

The network 110 provides communication between the Reader 108 and thecomputing device 120, local services module 124, and third party linkmodule 126. For example, a communication channel 156 couples thecomputing device 120 to the network 110. For example, the communicationchannel 156 is a wired or wireless connection. In alternativeembodiments, one or more of these connections may not be present ordifferent or additional network connections may be present. In oneembodiment, the network 110 uses standard communications technologiesand/or protocols. Thus, the network 110 can include links usingtechnologies such as Ethernet, 802.11, 802.16, integrated servicesdigital network (ISDN), digital subscriber line (DSL), asynchronoustransfer mode (ATM), etc. Similarly, the networking protocols used onthe network 110 can include the transmission control protocol/Internetprotocol (TCP/IP), the hypertext transport protocol (HTTP), the simplemail transfer protocol (SMTP), the file transfer protocol (FTP), etc.The data exchanged over the network 110 can be represented usingtechnologies and/or formats including the hypertext markup language(HTML), the extensible markup language (XML), etc. In addition, all orsome of links can be encrypted using conventional encryptiontechnologies such as the secure sockets layer (SSL), Secure HTTP and/orvirtual private networks (VPNs). In another embodiment, the entities canuse custom and/or dedicated data communications technologies instead of,or in addition to, the ones described above.

Similarly, the network 130 provides communication between the localservices module 124 and third party site 140. In alternativeembodiments, one or more of these connections may not be present ordifferent or additional network connections may be present. In oneembodiment, the network 130 uses standard communications technologiesand/or protocols. Thus, the network 130 can include links usingtechnologies such as Ethernet, 802.11, 802.16, integrated servicesdigital network (ISDN), digital subscriber line (DSL), asynchronoustransfer mode (ATM), etc. Similarly, the networking protocols used onthe network 110 can include the transmission control protocol/Internetprotocol (TCP/IP), the hypertext transport protocol (HTTP), the simplemail transfer protocol (SMTP), the file transfer protocol (FTP), etc.The data exchanged over the network 110 can be represented usingtechnologies and/or formats including the hypertext markup language(HTML), the extensible markup language (XML), etc. In addition, all orsome of links can be encrypted using conventional encryptiontechnologies such as the secure sockets layer (SSL), Secure HTTP and/orvirtual private networks (VPNs). In another embodiment, the entities canuse custom and/or dedicated data communications technologies instead of,or in addition to, the ones described above.

FIG. 2 is a block diagram illustrating a local services module 124,which includes one or more external databases including a validationdatabase 112, a Central Registry 114 and one or more private registries116 a, 116 b. The local services module 124 also includes a medicalservices controller 202, a registration server 205, a tracking server210, an auto login server 220, a quality assurance server 240, and aninternet portal server 250.

The validation database 112 stores additional information that may beused for authorizing a transaction to be processed at the Reader 108.For example, in purchase transactions, the validation database 112 is acredit card validation database that is separate from the merchantproviding the sale. Alternatively, a different database may be used tovalidate different types of purchasing means such as a debit card, ATMcard, or bank account number. As another example in healthcare systems,the validation database 112 is a medical record number validationdatabase that separate from the healthcare institution providing thepatient care, which provides confirmation of the patient'sidentification.

The registries 114, 116 a, 116 b are securely-accessible databasescoupled to the network 110 that store, among other items, PDK, Notary,and Reader information. In one embodiment, the registries 114, 116 a,116 b do not store biometric information. In an alternative embodiment,the registries 114, 116 a, 116 b store biometric information in anencoded format that can only be recovered using an algorithm or encodingkey stored in the PDK 102. Information stored in the registries 114, 116a, 116 b can be accessed by the Reader 108 via the network 110 for usein the authentication process. There are two basic types of registries114, 116 a, 116 b illustrated: private registries 116 a, 116 b and theCentral Registry 114. Private registries 116 a, 116 b are generallyestablished and administered by their controlling entities (e.g., ahealth care provider, business authority, or other entity administeringauthentication). Private registries 116 a, 116 b can be customconfigured to meet the specialized and independent needs of eachcontrolling entity. The Central Registry 114 is a single highly-secured,centrally-located database administered by a trusted third-partyorganization. In one embodiment, all PDKs 102 are registered with theCentral Registry 114 and may be optionally registered with one or moreselected private registries 116 a, 116 b. In alternative embodiments, adifferent number or different types of registries 114, 116 a, 116 b maybe coupled to the network 110.

In one embodiment, a registry 114, 116 or the database 112 includes oneor more records. A record includes login information associated with oneor more applications. For example, the record includes a PDK ID 312, anapplication identifier, an application username and an applicationpassword. When the PDK 102 is identified by a Reader, data from theregistry profile is communicated to the local services module 124 andused to allow a user to login or access an application using the datastored in the registry profile. In one embodiment, different records inthe registry 114, 116 or database 112 are encrypted using a registry keythat is also stored in the PDK 102 to prevent access to a record withoutthe PDK 102. One embodiment of launching, or accessing, applicationusing a registry profile is further described below in conjunction withFIGS. 18-20.

The medical services controller 202 enables communication between theservers and modules of the local services module 124 and third partylink module 126 with the computing device 120. In one embodiment, themedical services controller 202 receives information and requests fromthe computing device 120 via the network 110. In another embodiment, themedical services controller 202 coordinates the operation of the variousservers and modules of the local services module 124 and third partylink module 126. For example, when a patient registration request isreceived from the Reader 108, the medical services controller 202 routesthe request to the registration server 205 and forwards registrationconfirmation to the appropriate destination, such as the computingdevice 120.

The registration server 205 automates the process of registering newpatients and ensures that a patient never needs to register more thanonce. In one embodiment, the registration server 205 resides in thelocal services module 124, which is coupled to the network via signalline 158. In one embodiment, the registration server 205 is coupled tothe validation database 112, central registry 114 and private registries116 a, 116 b. The registration server 205 receives patient registrationrequests from Readers 108 via the network 110 and sends information tothe computing device 120 also via the network 110.

The tracking server 210 enables real-time tracking of individuals,equipment and supplies. In one embodiment, the tracking server 210resides in the local services module 124, which is coupled to thenetwork 110 via signal line 158. The tracking server 210 receivesinformation from the Readers 108 and sends information back to theReaders 108 and PDK 102. One embodiment of the tracking server 210 isdescribed in more detail below with reference to FIG. 15.

The auto login server 220 allows for automated logging in of providersinto the healthcare computer system. In one embodiment, the auto loginserver 220 resides in the local services module 124 and is coupled tothe validation database 112, central registry 114 and private registries116 a, 116 b. The auto login server receives login requests from theReaders 108 and sends login authorization to the computing device 120.One embodiment of the auto login server 220 is described in more detailbelow with reference to FIG. 17.

The portal server 230 exchanges data between the local services module124 and one or more third party sites 140. For example, the portalserver 230 includes identifiers associated with one or more third partysites 140 to identify a third party site 140 and enable access to datamaintained by the third party site 140. In one embodiment, the portalserver 230 also modifies the format of data received from a third partysite 140 to expedite use of the received data by another component, suchas the application server 240 or a computing device 120 coupled to thelocal services module 124.

The application server 240 includes data that, when executed by aprocessor, implements one or more applications to provide one or moretypes of functionality. In one embodiment, the application server 240 isincluded in the local services module 124. Additionally, in oneembodiment, the application server 240 communicates with one or morethird party sites 140 via a signal line 164 and the network 130, whichcommunicates with the third party site 140 via a communication channel172. This allows the application server 250 to communicate data from thethird party site 140 to the computing device 120. One embodiment of theapplication server 240 is described in more detail below with referenceto FIG. 24. Such third party services may include accessing a patient'svirtual database records or insurance information or sendingprescription requests to remote pharmacies. More detailed informationdescribing the components and functions of these servers is described inmore detail below.

The alert server 250 provides automatic updates and alerts for monitoredpatients or other entities. The alert server 250 receives informationfrom Readers 108 and sends information to the computing device 120. Inone embodiment, the alert server 250 resides in the local servicesmodule 124. In one embodiment, the alert server 250 receives data fromthe tracking server 210 to allow generation of updates or alerts basedon the location of a PDK 102.

Turning now to FIG. 3, an example embodiment of a PDK 102 isillustrated. The PDK 102 comprises a memory 310, a programmer I/O 340,control logic 350, a transceiver 360 and a biometric reader 370 coupledby a bus 380. The PDK 102 can be standalone as a portable, physicaldevice or can be integrated into commonly carried items. For example, aPDK 102 can be integrated into a portable electronic device such as acell phone, Personal Digital Assistant (PDA), or GPS unit, an employeeidentification tag or badge, clothing, or jewelry items such as watches,rings, necklaces or bracelets. In one embodiment, the PDK 102 can be,for example, about the size of a Subscriber Identity Module (SIM) cardand be as small as a square inch in area or less. In another embodiment,the PDK 102 can be easily contained in a pocket, on a keychain, or in awallet. In yet another embodiment, a PDK 102 can be integrated into asticker, tag or other item attachable to various items or equipment. Inother embodiments, the PDK 102 can be integrated into a clipboard,patient wristband or other patient identification tags or badges. Insome embodiments, where the PDK 102 is attached to equipment fortracking purposes, the PDK 102 also includes a button or switch that canbe activated or deactivated to indicate whether the equipment is in use.

The memory 310 can be a read-only memory, a once-programmable memory, aread/write memory or any combination of memory types including physicalaccess secured and tamperproof memories. The memory 310 typically storesa unique PDK ID 312, an activity log 390 and one or more profiles 320.The PDK ID 312 comprises a public section and a private section ofinformation, each of which can be used for identification andauthentication. In one embodiment, the PDK ID 312 is stored in aread-only format that cannot be changed subsequent to manufacture. ThePDK ID 312 is used as an identifying feature of a PDK 102 anddistinguishes between PDKs 102 in private 116 or Central 114 registryentries. In an alternative embodiment, the registries can identify a PDK102 by a different ID than the PDK ID 412 stored in the PDK 102, or mayuse both the PDK ID 312 and the different ID in conjunction. The PDK ID312 can also be used in basic PDK authentication to ensure that the PDK102 is a valid device.

The activity log 390 stores information associated with variousactivities of the PDK. For example, if the PDK 102 is a patient's PDK,the activity log 390 stores information identifying the patient'slocation throughout various times. In one embodiment, the activity log390 keeps track of each time a patient visits a healthcare facility oreach time a doctor or nurse visits a department within the healthcarefacility. In another embodiment, the activity log 390 stores thepatient's location throughout various points as the patient is in theprovider's facility. Similarly, the if PDK 102 is attached to a piece ofequipment or a cart of supplies, the activity log 390 stores locationinformation as well. In another embodiment, if the PDK 102 is that of aprovider, the activity log 390 stores information associated with theprovider's rounds, i.e. each time a provider visits a certain patient oruses a particular medical device.

The profile fields 320 can be initially empty at the time of manufacturebut can be written to by authorized individuals (e.g., a Notary) and/orhardware (e.g., a Programmer). In one embodiment, each profile 320comprises a profile history 322 and profile data 330. Many differenttypes of profiles 320 are possible. A biometric profile, for example,includes profile data 330 representing physical and/or behavioralinformation that can uniquely identify the PDK owner. A PDK 102 canstore multiple biometric profiles, each comprising a different type ofbiometric information. In one embodiment, the biometric profile 320comprises biometric information transformed by a mathematical operation,algorithm, or hash that represents the complete biometric information(e.g., a complete fingerprint scan). In one embodiment, a mathematicalhash is a “one-way” operation such that there is no practical way tore-compute or recover the complete biometric information from thebiometric profile. This both reduces the amount of data to be stored andadds an additional layer of protection to the user's personal biometricinformation. In one embodiment, the biometric profile is further encodedusing an encoding key and/or algorithm that is stored with the biometricprofile data. Then, for authentication, the biometric profile data andthe encoding key and/or algorithm are passed to the Reader 108.

In one embodiment, the PDK 102 also stores one or more biometric profile“samples” associated with each biometric profile. The biometric profilesample is a subset of the complete profile that can be used for quickcomparisons of biometric data. In one embodiment, the profile samplescan be transmitted over a public communication channel or transmittedwith reduced level of encryption while the full biometric profiles areonly transmitted over secure channels. In the case of fingerprintauthentication, for example, the biometric profile sample may representonly small portion area of the full fingerprint image. In anotherembodiment, the fingerprint profile sample is data that describes an arcof one or more lines of the fingerprint. In yet another embodiment, thefingerprint profile sample can be data representing color information ofthe fingerprint.

In another embodiment, the stored profiles 320 include a PIN profilethat stores one or more PINs or passwords associated with the PDK owner.Here, the number or password stored in the PIN profile can be comparedagainst an input provided by the user at the point of transaction toauthenticate the user. In one embodiment, a PIN profile sample is alsostored with the PIN profile that comprises a subset of the full PIN. Forexample, a PIN profile sample can be only the first two numbers of thePIN that can be used to quickly compare the stored PIN profile to a PINobtained at the point of transaction.

In yet another embodiment, the PDK 102 stores a picture profile thatincludes one or more pictures of the PDK owner. In a picture profileauthentication, the picture stored in the PDK 102 is transmitted to adisplay at the point of transaction to allow an administrator (e.g., aclerk or security guard) to confirm or reject the identity of theindividual requesting the transaction. In another embodiment, an imageis captured of the individual at the point of transaction and comparedto the picture profile by an automated image analysis means.Furthermore, picture profiles could be used, for example, in place ofconventional passports or drivers licenses to authenticate the identityof an individual and allow for remote identification of individuals. Forexample, a police officer following a vehicle could obtain an image andidentity of the driver while still maintaining a safe distance from thevehicle. In the hospitality industry, a host could greet a guest at thedoor of a hotel, casino or restaurant and easily recognize the guest byobtaining the guest's picture profile as he/she enters. In healthcare, adoctor or nurse can ensure that he or she is administering the correctmedication to the right patient by looking at the profile pictureassociated with that patient.

A registry or database profile typically stores information associatingthe user with a registry. The registry profile can be used to determineif the individual is associated with the controlling entity for thatregistry and if different types of transactions are authorized for theindividual. A registry profile can further include additional userinformation for use with the registry. For example, a private registryprofile associated with a particular merchant may include a credit cardnumber that the user has selected as a default for that merchant. In oneembodiment, a profile can further include spending limits that limitsthe amount of purchases a user can make with a particular vendor orusing a particular profile.

A registry profile may include one or more service blocks identifying aregistry 114, 116 or database 112 in the local services module 124 andidentify a record within the identified registry 114, 116 or database112. In one embodiment, the service block includes a registryidentifier, a record identifier to specify a record within theidentified registry and a registry key. In one embodiment, differentrecords in the registry 114, 116 or database 112 are encrypted usingregistry key that is stored in the PDK 102 to prevent access to a recordwithout the PDK 102. In one embodiment, one or more processesimplemented by the control logic 350 are used to identify a serviceblock within a registry profile, allowing access to specific serviceblocks. This also allows application of service block-specific securityby making different service blocks independent of each other. Oneembodiment of launching, or accessing, an application using a registryprofile is further described below in conjunction with FIGS. 18-21.

Additionally, a profile may include application specific information,allowing a registry profile to be used to launch or access anapplication and application specific information included in theregistry profile or in another profile to be accessed by theapplication. This allows the PDK 102 to include data customizingoperation of an application. For example, a patient of a healthcarefacility may have a PDK 102 having a profile that stores the patient'smedical records, allowing a computing device 120 to retrieve thepatient's medical records when the PDK 102 communicates with a Reader108 coupled to the computing device 120. As another example, a PDK 102profile includes user preference data, allowing configuration of anapplication executed by a computing device 120 by communicating the userpreference data from the PDK 102 to the computing device 120 via aReader 108 coupled to the computing device 120. Hence, in addition toincluding data used for authentication or security, a PDK 102 mayinclude profiles for customizing operation of applications or forstoring data for subsequent access.

A profile can further include personal identification information suchas name, address, phone number, etc., insurance information,credit/debit card information, or information regarding visitedproviders. This information can be useful for certain types oftransactions. For example, patient office visits, a PDK 102 canautomatically transmit address, insurance and billing information to theReader 108 at the conclusion of the office visit.

Generally, some types of profile information (e.g., a biometric profile)can only be acquired during a trusted initialization process that isadministered by a trusted Notary. In one embodiment, other secureinformation such as medical conditions are also stored to the PDK 102 inthe presence of a Notary. Alternatively, certain types of low-riskinformation can be added by the user without a Notary, such as, forexample a change of address. In another embodiment, once an initialprofile has been stored to the PDK 102, a user can add information tothe PDK 102 using a Programmer without a Notary throughself-authentication. For example, in one embodiment, a PDK 102 that hasa stored biometric profile can be “unlocked” by providing a matchingbiometric input. Then, once unlocked, the user can add or removeadditional profiles, insurance cards, personal information, etc. to thePDK 102 using a Programmer. For example, in one embodiment, a user thathas unlocked his/her own PDK 102 can store additional biometricinformation (such as fingerprint information for other fingers) inhis/her PDK 102. In another example, a user that cancels an insurancecard, can unlock his/her PDK 102 to remove the insurance cardinformation. In another embodiment, the user can make copies of the PDK102 or move profiles from one PDK 102 to another once the PDK 102 isunlocked. FIG. 25 provides additional description of acquisition of aninitialization process.

The profile history 322 includes a programmer ID field 324, a Notary ID326, and a site ID field 328. The profile history 322 relates to thespecific hardware, Notary, and site used at the time the profile datawas created and stored to the PDK. Typically each profile 320 stores itsspecific profile history 322 along with the profile data 330. Theprofile history 322 can be recalled for auditing purposes at a latertime to ensure the credibility of the stored data. In one embodiment,transaction history can also be stored to the PDK memory 310. Here, thePDK 102 stores information associated with any transactions made withthe PDK 102 such as the healthcare provider, reason for office visit andinsurance used, etc.

The PDK 102 also includes a programmer I/O 340 that provides aninterface to a trusted Programmer (not shown). The Programmer comprisestrusted hardware that is used to program the memory 310 of the PDK 102.An example embodiment of a Programmer is described in U.S. patentapplication Ser. No. 11/744,832 to John Giobbi, et al., entitled“Personal Digital Key Initialization and Registration For SecureTransaction” and filed on May 5, 2007, the entire contents of which areincorporated herein by reference. The programmer I/O 340 can be, forexample, a USB interface, serial interface, parallel interface, or anyother direct or wireless link for transferring information between thePDK 102 and the Programmer. When coupled to the Programmer, theprogrammer I/O 340 receives initialization data, registration data orother information to be stored in the memory 310.

The control logic 350 coordinates between functions of the PDK 102. Inone embodiment, the control logic 350 facilitates the flow ofinformation between the programmer I/O 340, transceiver 360 and memory310. The control logic 350 can further process data received from thememories 310, programmer I/O 340 and transceiver 360. Note that thecontrol logic 350 is merely a grouping of control functions in a centralarchitecture, and in other embodiments, the control functions can bedistributed between the different modules of the PDK 102. The operationof the control logic will be understood to those skilled in the artbased on the description below corresponding to FIGS. 8-11D.

Optionally, the PDK 102 can also include a built in biometric reader 370to acquire a biometric input from the user. The biometric reader 370 isconfigured to obtain a representation of physical or behavioralcharacteristics derived from the individual. The biometric input can beused to unlock the PDK 102 for profile updates, or for various types ofauthentication. For example, in one embodiment, a biometric input isreceived by the PDK 102 and compared to stored biometric information.Then, if the user is authenticated, the PDK 102 can indicate to theReader 108 that the user is authenticated and transmit additionalinformation (e.g., a credit card number) needed to complete atransaction.

The transceiver 360 is a wireless transmitter and receiver forwirelessly communicating with a Reader 108 or other wireless device. Thetransceiver 360 sends and receives data as modulated electromagneticsignals. Moreover, the data can be encrypted by the transceiver 360 andtransmitted over a secure link. Further, the transceiver 360 canactively send connection requests, or can passively detect connectionrequests from another wireless source. In one embodiment, thetransceiver 360 is used in place of a separate programmer I/O 340 and isused to wirelessly communicate with the Programmer for programming. Inone embodiment, the transceiver 360 is adapted to communicate over arange of up to around 5 meters.

FIG. 4 is a block diagram illustrating one embodiment of a biometricreader 370 of a PDK 102. The biometric reader 370 includes a biometriccapture module 402, a validation module 404, an enrollment module 406and persistent storage 408. In one embodiment, the enrollment module 406registers a user with a PDK 102 by persistently storing biometric dataassociated with the user. Further, enrollment module 406 registers PDK102 with a trusted authority by providing the code (e.g., device ID) tothe trusted authority. Or conversely, the trusted authority can providethe code to PDK 102 to be stored therein.

The biometric capture module 402 comprises a scan pad to capture scandata from a user's fingerprint (e.g., a digital or analog representationof the fingerprint). Other embodiments of the biometric capture module402 includes retinal scanners, iris scanners, facial scanner, palmscanners, DNA/RNA analyzers, signature analyzers, cameras, microphones,and voice analyzers to capture other identifying biometric data. Usingthe biometric data, validation module 404 determines whether the user'sfingerprint, or other biometric data, matches the stored biometric datafrom enrollment. Conventional techniques for comparing fingerprints canbe used. For example, the unique pattern of ridges and valleys of thefingerprints can be compared. A statistical model can be used todetermine comparison results. Validation module 404 can send comparisonresults to control logic 350 of the PDK 102.

In other embodiments, validation module 404 can be configured to capturebiometric data for other human characteristics. For example, a digitalimage of a retina, iris, and/or handwriting sample can be captured. Inanother example, a microphone can capture a voice sample.

Persistent storage 408 persistently stores biometric data from one ormore users which can be provided according to specific implementations.In one embodiment, at least some of persistent storage 408 is a memoryelement that can be written to once but cannot subsequently be altered.Persistent storage 408 can include, for example, a ROM element, a flashmemory element, or any other type of non-volatile storage element.Persistent storage 508 is itself, and stores data in, a tamper-proofformat to prevent any changes to the stored data. Tamper-proofingincreases reliability of authentication because it does not allow anychanges to biometric data (i.e., allows reads of stored data, but notwrites to store new data or modify existing data). Furthermore, data canbe stored in an encrypted form.

In one embodiment, persistent storage 408 also stores the code that isprovided by the PDK 102 responsive to successful verification of theuser. Further, in some embodiments persistent storage 408 stores otherdata utilized during the operation of PDK 102. For example, persistentstorage 408 can store encryption/decryption keys utilized to establishsecure communications links.

An example embodiment of PDK 102 including a biometric reader isdescribed in U.S. patent application Ser. No. 11/314,199 to John Giobbi,et al., entitled “Biometric Personal Data Key (PDK) Authentication”, theentire contents of which are incorporated herein by reference.

Turning now to FIG. 5, an example embodiment of a Reader 108 isillustrated. The embodiment includes one or more biometric readers 502,a receiver-decoder circuit (RDC) 504, a processor 506, a networkinterface 508, an I/O port 612, optionally a credit card terminal I/O510 and a reader ID 518. In alternative embodiments, different oradditional modules can be included in the Reader 108.

The RDC 504 provides the wireless interface to the PDK 102. Generally,the RDC 504 wirelessly receives data from the PDKs 102 in an encryptedformat and decodes the encrypted data for processing by the processor506. An example embodiment of an RDC is described in U.S. patentapplication Ser. No. 11/292,330 entitled “Personal Digital Key AndReceiver/Decoder Circuit System And Method”, the entire contents ofwhich are incorporated herein by reference. Encrypting data transmittedbetween the PDK 102 and Reader 108 minimizes the possibility ofeavesdropping or other fraudulent activity. In one embodiment, the RDC504 is also configured to transmit and receive certain types ofinformation in an unencrypted or public format.

The biometric reader 502 receives and processes the biometric input 122from an individual and is configured to obtain a representation ofphysical or behavioral characteristics derived from the individual. Inone embodiment, the biometric reader 602 is a fingerprint scanner. Here,the biometric reader 502 includes an image capture device adapted tocapture the unique pattern of ridges and valleys in a fingerprint alsoknown as minutiae. Other embodiments of biometric readers 502 includeretinal scanners, iris scanners, facial scanner, palm scanners, DNA/RNAanalyzers, signature analyzers, cameras, microphones, and voiceanalyzers. Furthermore, the Reader 108 can include multiple biometricreaders 502 of different types. In one embodiment, the biometric reader502 automatically computes mathematical representations or hashes of thescanned data that can be compared to the mathematically processedbiometric profile information stored in the PDK 102.

The processor 506 can be any general-purpose processor for implementinga number of processing tasks. Generally, the processor 506 processesdata received by the Reader 108 or data to be transmitted by the Reader108. For example, a biometric input 122 received by the biometric reader502 can be processed and compared to the biometric profile 420 receivedfrom the PDK 102 in order to determine if a transaction should beauthorized. In different embodiments, processing tasks can be performedwithin each individual module or can be distributed between localprocessors and a central processor. The processor 506 further includes aworking memory for use in various processes.

The network interface 508 is a wired or wireless communication linkbetween the Reader 108 and one or more external databases such as, forexample, a validation database 112, the Central Registry 114 or aprivate registry 116 a, 116 b. For example, in one type ofauthentication, information is received from the PDK 102 at the RDC 504,processed by the processor 506, and transmitted to an external database112-116 through the network interface 508. The network interface 508 canalso receive data sent through the network 110 for local processing bythe Reader 108. In one embodiment, the network interface 508 provides aconnection to a remote system administrator to configure the Reader 108according to various control settings.

The I/O port 512 provides a general input and output interface to theReader 108. The I/O port 512 may be coupled to any variety of inputdevices to receive inputs such as a numerical or alphabetic input from akeypad, control settings, menu selections, confirmations, and so on.Outputs can include, for example, status LEDs, an LCD, or other displaythat provides instructions, menus or control options to a user.

The credit card terminal I/O 510 optionally provides an interface to anexisting credit card terminal 514. In embodiments including the creditcard terminal I/O 510, the Reader 108 supplements existing hardware andacts in conjunction with a conventional credit card terminal 514. In analternative embodiment, the functions of an external credit cardterminal 514 are instead built into the Reader 108. Here, a Reader 108can completely replace an existing credit card terminal 514.

In one embodiment, a Reader 108 is adapted to detect and preventfraudulent use of PDKs that are lost, stolen, revoked, expired orotherwise invalid. For example, the Reader 108 can download lists ofinvalid PDKs IDs 312 from a remote database and block these PDKs 102from use with the Reader 108. Furthermore, in one embodiment, the Reader108 can update the blocked list and/or send updates to remote registries114,116 a, 116 b or remote Readers 108 upon detecting a fraudulentlyused PDK 102. For example, if a biometric input 122 is received by theReader 108 that does not match the biometric profile received from thePDK 102, the Reader 108 can obtain the PDK ID 312 and add it to a listof blocked PDK IDs 312. In another embodiment, upon detecting fraudulentuse, the Reader 108 can send a signal to the PDK 102 that instructs thePDK 102 to deactivate itself. The deactivation period can be, forexample, a fixed period of time, or until the rightful owner requestsre-activation of the PDK 102. In yet another embodiment, the Reader 108can send a signal instructing the fraudulently obtained PDK 102 to sendalarm signals indicating that the PDK 102 a stolen device. Here, astolen PDK 102 can be tracked, located and recovered by monitoring thealarm signals. In one embodiment, the Reader 108 stores biometric orother identifying information from an individual that attempts tofraudulently use a PDK 102 so that the individual's identity can bedetermined.

The reader ID 518 is memory that stores the reader's uniqueidentification number. The memory can be a read-only memory, aonce-programmable memory, a read/write memory or any combination ofmemory types including physical access secured and tamperproof memories.The reader ID 518 plays an integral role in the process for trackingequipment, supplies and individuals as will be explained in more detailbelow.

Generally, the Reader 108 is configured to implement at least one typeof authentication prior to enabling a transaction. In many cases,multiple layers of authentication are used. A first layer ofauthentication, referred to herein as “device authentication,” beginsany time a PDK 102 moves within range of a Reader 108. In deviceauthentication, the Reader 108 and the PDK 102 each ensure that theother is valid based on the device characteristics, independent of anyprofiles stored in the PDK 102. In some configurations, when fast andsimple authentication is desirable, only device authentication isrequired to initiate the transaction. For example, a Reader 108 may beconfigured to use only device authentication for office visit check-ins.The configuration is also useful in other types of low risk transactionswhere speed is preferred over additional layers of authentication.

Other configurations of the Reader 108 require one or more additionallayers of authentication, referred to herein as “profile authentication”based on one or more profiles stored in the PDK 102. Profileauthentication can include, for example, a biometric authentication, aPIN authentication, a photo authentication, a registry authentication,etc. or any combination of the above authentication types. Profileauthentications are useful when a more exhaustive authentication processis desired, for example, for invasive patient treatments or drugadministration.

FIG. 6 is a high-level block diagram of one embodiment of a computingdevice 120. In one embodiment, the computing device 120 is a personalcomputer. In another embodiment, the computing device 120 is a smartphone or other mobile computing and communication device. Illustratedare at least one processor 602 coupled to a bus 604. Also coupled to thebus 604 are a memory 606, a storage device 608, a keyboard 610, agraphics adapter 612, a pointing device 614, a network adapter 616 and areader 620. In one embodiment, the functionality of the bus 604 isprovided by an interconnecting chipset. A display device 618 is coupledto the graphics adapter 612.

The memory 606 includes an application 630. In one embodiment, theapplication 630 enables the computing device 120 to communicate with thelocal services 124. In another embodiment, the application 630 processesinformation and data received from the readers 620 and various modulesand servers of the local services 124 and third party link module 126.

The storage device 608 is any device capable of holding data, like ahard drive, compact disk read-only memory (CD-ROM), DVD, or asolid-state memory device. The memory 606 holds instructions and dataused by the processor 602. The pointing device 614 may be a mouse, trackball, or other type of pointing device, and is used in combination withthe keyboard 610 to input data into the computing device 120. Thegraphics adapter 612 displays images and other information on thedisplay device 618. The network adapter 616 couples the computing device120 to a local or wide area network.

As is known in the art, a computing device 120 can have different and/orother components than those shown in FIG. 6. In addition, the computingdevice 120 can lack certain illustrated components. In one embodiment, acomputing device 120 lacks a keyboard 610, a pointing device 614, agraphics adapter 612, and/or a display device 618. Moreover, the storagedevice 608 can be local and/or remote from computing device 120 (such asembodied within a storage area network (SAN)). The reader 620 includesall or some of the components as the Reader 108 described above inconjunction with FIG. 5.

As is known in the art, the computing device 120 is adapted to executecomputer program modules for providing functionality described herein.As used herein, the term “module” refers to computer program logicutilized to provide the specified functionality. Thus, a module can beimplemented in hardware, firmware, and/or software. In one embodiment,program modules are stored on the storage device 608, loaded into thememory 606, and executed by the processor 602.

Embodiments of the entities described herein can include other and/ordifferent modules than the ones described here. In addition, thefunctionality attributed to the modules can be performed by other ordifferent modules in other embodiments. Moreover, this descriptionoccasionally omits the term “module” for purposes of clarity andconvenience.

FIG. 7 is a flowchart illustrating one embodiment of a process forauthorizing a communication connection using secure authentication. Whena PDK 102 comes within range of a Reader 108, communication isautomatically established 702 between the RDC 504 of the Reader 108 andthe PDK 102. It should be noted that the processes described herein withregards to Reader 108 may be also performed with reader 620 of thecomputing device 120.

In one embodiment, the RDC 504 continually transmits beacons that aredetected by the PDK 102 when it enters a proximity zone of the Reader108. In an alternative embodiment, the communication is insteadinitiated by the PDK 102 and acknowledged by the Reader 108. The initialcommunication between the Reader 108 and the PDK 102 is not encrypted toprovide increased security of communication between the Reader and thePDK 102.

In step 704, a device authentication is performed. Here, the Reader 108establishes if the PDK 102 is a valid device and PDK 102 establishes ifthe Reader 108 is valid. Furthermore, device authentication determinesif the PDK 102 is capable of providing the type of authenticationrequired by the Reader 108.

An example embodiment of a method 800 for performing 704 deviceauthentication is illustrated in FIG. 8. The RDC 504 receives andanalyzes 802 information from the PDK 102 and the PDK 102 receives andanalyzes 802 information received from the RDC 504. Generally, thisinitial information is transmitted over a public communication channelin an unencrypted format. Based on the received information, each device102, 504 determines 804 if the other is valid. As will be apparent toone of ordinary skill in the art, a number of different protocols can beused for this type of authentication such as, for example, achallenge-response authentication or a challenge handshakeauthentication protocol (CHAP). If either of the devices 102, 504 isinvalid 812, the process ends. If both the PDK 102 and the RDC 604 aredetermined by the other to be valid, the Reader 108 requests andreceives 806 authentication type information from the PDK 102 indicatingthe different types of authentication the PDK 102 is capable ofsatisfying based on the types of profiles stored by the PDK 102.

The available profile types in the PDK 102 are compared against theauthentication types that can be used by the Reader 108. For example, aparticular Reader 108 may be configured to perform only a fingerprintauthentication and therefore any PDK without a fingerprint biometricprofile cannot be used with the Reader 108. In one embodiment, theReader 108 can allow more than one type of profile to be used. Inanother embodiment, the Reader 108 requires more than one type ofprofile for authentication, while in yet further embodiments no profileauthentications are required. Next, the method determines 808 whetherthe PDK 102 has one or more profiles sufficient for authentication. Ifthe PDK 102 does not have one or more profiles sufficient forauthentication with the Reader 108, the devices 102, 504 are determinedto be invalid 812 because they cannot be used with each other. If thePDK 102 does have one or more sufficient types of profiles, the devicesare valid 810.

Turning back to FIG. 7, if either the PDK 102 or RDC 504 is not foundvalid during device authentication 704, the connection is not authorized718 and the process ends. If the devices are valid, the RDC 504temporarily buffers 708 the received PDK information. It is noted thatin one embodiment, steps 702-708 are automatically initiated each time aPDK 102 enters the proximity zone of the Reader 108. Thus, if multiplePDKs 102 enter the proximity zone, the Reader 108 automaticallydetermines which PDKs 102 are valid and buffers the received informationfrom each valid PDK 102.

The method next determines 710 whether profile authentication isrequired based on the configuration of the Reader 108, the type oftransaction desired or by request of a merchant or other administrator.If the Reader 108 configuration does not require a profileauthentication in addition to the PDK authentication, then the Reader108 proceeds to complete the transaction for the PDK 102. If the Reader108 does require profile authentication, the profile authentication isperformed 712 as will be described below with references to FIGS. 9-10D.If a required profile is determined 714 to be valid, the Reader 108allows 716 the connection. Otherwise, the Reader 108 indicates that theconnection is not authorized 718. In one embodiment, allowing 716 theconnection includes enabling access to secure patient records. Inanother embodiment, allowing 716 the connection includes enabling theautomatic logging in and out of software and system applications.Patient or provider name or medical record number (typically stored in aprofile memory field 332) can be transmitted by the PDK 102 foridentification purposes. In one embodiment, the PDK 102 is configuredwith multiple purchasing means and a default is configured for differenttypes of transactions. In another embodiment, each insurance card ormedical billing information is displayed to the customer by the Reader108 and the customer is allowed to select which to apply to the officevisit.

Turning now to FIG. 9, an embodiment of a method 900 for profileauthentication is illustrated. In step 902, a secure communicationchannel is established between the RDC 504 and the PDK 102. Informationsent and received over the secure channel is in an encrypted format thatcannot be practically decoded, retransmitted, reused, or replayed toachieve valid responses by an eavesdropping device. The Reader 108transmits 904 profile authentication requests to the PDK 102 requestingtransmission of one or more stored profiles over the secure channel.

In one embodiment, a trigger is required certain times, but not requiredwithin specified time intervals. This allows a trigger to initially berequired to authenticate a profile, but not required after initialauthentication of the profile. For example, a trigger may be required toauthenticate a profile the first time the Reader 108 transmits 904 aprofile authentication request to the PDK 102, prompting a biometricauthentication, or other type of authentication, as further describedbelow. If the profile is authenticated, the next time the Reader 108transmits 904 a profile authentication request to the PDK 102 during aspecified time interval, no trigger is required and the Reader 108relies on the previous authentication to authenticate the profile. Thus,the time interval simplifies access to a computing device 120 associatedwith the Reader 108 by identifying a length of time during which theprofile is considered to be authenticated without being tested orwithout requiring detection of a trigger, as described below.

For example, the first time a healthcare provider accesses a computingdevice 120, the healthcare provider is required to provide a biometricinput, as further described below, to verify the identity of thehealthcare provider. To simplify subsequent access to the computingdevice 120, a time interval of four hours is associated with thehealthcare provider's profile, so that the healthcare provider's profileremains authenticated by the Reader 108 for four hours after initialauthentication. This allows the healthcare provider to subsequentlyaccess the computing device 120 without again providing biometric input.However, after four hours have elapsed, when the healthcare provideragain accesses the Reader 108, the Reader 108 again requires thehealthcare provider to provide a biometric input to verify thehealthcare provider's profile.

Accordingly, after the Reader 108 transmits 904 profile authenticationrequests to the PDK 102 requesting transmission of one or more storedprofiles over the secure channel and received a stored profile forauthentication, the Reader 108 determines 906 whether a requestedprofile is within an associated time interval. In one embodiment, thetime interval data is transmitted by the PDK 102 along with the profile.Alternatively, the Reader 108 includes data describing time intervaldata associated with different profiles and uses the included data todetermine 906 whether the profile is within its associated timeinterval. For example, the time interval data includes a profile ID, thetime interval and the time when the profile was last authenticated. TheReader 108 determines whether the time when the profile is receivedresponsive to an authentication request is within the duration specifiedby the time interval of the time when the profile was lastauthenticated.

If the profile is not within its associated time interval, at 908, theprocess determines whether a “trigger” is required for authentication.The requirement for a trigger depends on the configuration of the Reader108, the specific type of transaction to be executed and the type ofauthentication requested. For example, if it has been longer than thetime interval from the time when the profile was previouslyauthenticated to the time when the profile is received responsive to theauthentication request, the process determines 908 whether a trigger isneeded to authenticate the profile.

In a first configuration, a trigger is required to continue the processbecause of the type of authentication being used. For example, inbiometric authentication, the authentication process cannot continueuntil the Reader detects a biometric contact and receives biometricinformation. It is noted that biometric contact is not limited tophysical contact and can be, for example, the touch of a finger to afingerprint scanner, the positioning of a face in front of a facial orretinal scanner, the receipt of a signature, the detection of a voice,the receipt of a DNA sample, RNA sample, or derivatives or any otheraction that permits the Reader 108 to begin acquiring the biometricinput 122. By supplying the biometric contact, the user indicates thatthe authentication and transaction process should proceed. For example,a PDK holder that wants log in to the healthcare software applicationsystem via the computing device 120 initiates the logon process bytouching a finger to the reader 720 of the computing device 120. Thecomputing device 120 then displays confirmation of the user's login.

In a second configuration, some other user action is required as atrigger to proceed with the transaction even if the authenticationprocess itself doesn't necessarily require any input. This can be usedfor many purchasing transactions to ensure that the purchase is notexecuted until intent to purchase is clear. For example, a Reader 108 ata gas station can be configured to trigger the transaction when acustomer begins dispensing gas. At a supermarket, a Reader 108 can beconfigured to trigger the transaction when items are scanned at acheckout counter. Similarly, a user may log in to healthcare softwareapplication system via the computing device 120 by simply being in theproximity zone of the reader 620 of a computing device 120 and beginningto use the keyboard 610 or pointing device 614 of the computing device120.

In a third configuration, no trigger is used and the Reader 108automatically completes the remaining authentication/transaction with noexplicit action by the user. This configuration is appropriate insituations where the mere presence of a PDK 102 within range of theReader 108 is by itself a clear indication of the person associated withthe PDK 102 desires to complete a transaction. For example, a Reader 108can be positioned inside the entrance to a doctor's office or clinic.When a patient having an associated PDK 102 walks through the entrance,the Reader 108 detects the PDK 102 within range, authenticates the user,and notifies the receptionist that the patient has arrived for his orher appointment. Thus, if no trigger is required, the process nextperforms 1014 the requested profile authentication tests.

If a trigger is required, the Reader 108 monitors 910 its inputs (e.g.,a biometric reader, key pad, etc.) and checks for the detection 912 of atrigger. If the required trigger is detected, the process continues toperform 914 one or more profile authentication test. FIGS. 10A-10Dillustrate various embodiments of profile authentication tests.According to different configurations of the Reader 108, one or more ofthe illustrated authentication processes may be used. Further, in someembodiments, one or more of the processes may be repeated (e.g., fordifferent types of biometric inputs).

However, if the Reader 108 determines 906 that the requested profile isreceived within an associated time interval, the Reader authenticates916 the profile. This beneficially simplifies access to a computingdevice 120 coupled to the Reader 108 by allowing an individual to bypassprofile authentication when the Reader 108 is accessed within a timeinterval of the initial profile authentication.

FIG. 10A illustrates a method 1000A for biometric authentication. Inbiometric authentication, a Reader 108 compares a biometric profilestored in the PDK 102 to the biometric input 122 acquired by thebiometric reader 502. Advantageously, the biometric input 122 is notpersistently stored by the Reader 108, reducing the risk of theft orfraudulent use. If the Reader 108 determine 1002 that biometricauthentication is requested, the Reader 108 scans 1104 the biometricinput 122 supplied by the user. In one embodiment, scanning 1004includes computing a mathematical representation or hash of thebiometric input 122 that can be directly compared to the biometricprofile.

In one embodiment, scanning 1004 also includes obtaining a biometricinput sample from the biometric input according to the same functionused to compute the biometric profile sample stored in the PDK 102.Optionally, the Reader 108 receives 1008 a biometric profile sample fromthe PDK 102 and determines 1100 if the biometric profile sample matchesthe biometric input sample. If the biometric profile sample does notmatch the input sample computed from the scan, the profile is determinedto be invalid 1018. If the biometric profile sample matches, the fullbiometric profile 1012 is received from the PDK 102 to determine 1014 ifthe full biometric profile 1012 matches the complete biometric input122. If the profile 1112 matches the scan, the profile 1112 isdetermined to be valid 1120, otherwise the profile 1012 is invalid 1018.It is noted that in one embodiment, steps 1008 and 1010 are skipped andonly a full comparison is performed. In one embodiment, the biometricprofile and/or biometric profile sample is encoded and transmitted tothe Reader 108 along with an encoding key and/or algorithm. Then, theReader 108 uses the encoding key and/or algorithm to recover thebiometric profile and/or biometric profile sample. In anotheralternative embodiment, only the encoding key and/or algorithm istransmitted by the PDK 102 and the biometric profile data is recoveredfrom a remote database in an encoded form that can then be decoded usingthe key and/or algorithm.

It will be apparent to one of ordinary skill that in alternativeembodiments, some of the steps in the biometric profile authenticationprocess can be performed by the PDK 102 instead of the Reader 108 or byan external system coupled to the Reader 108. For example, in oneembodiment, the biometric input 122 can be scanned 1004 using abiometric reader built into the PDK 102. Furthermore, in one embodiment,the steps of computing the mathematical representation or hash of thebiometric input and/or the steps of comparing the biometric input to thebiometric profile can be performed by the PDK 102, by the Reader 108, byan external system coupled to the Reader 108, or by any combination ofthe devices. In one embodiment, at least some of the information istransmitted back and forth between the PDK 102 and the Reader 108throughout the authentication process. For example, the biometric input122 can be acquired by the PDK 102, and transmitted to the Reader 108,altered by the Reader 108, and sent back to the PDK 102 for comparison.Other variations of information exchange and processing are possiblewithout departing from the scope of the invention. The transfer of databetween the PDK 102 and the Reader 108 and/or sharing of processing canprovide can further contribute to ensuring the legitimacy of eachdevice.

FIG. 10B illustrates a method 1000B for PIN authentication. If PINauthentication is requested 1024, a PIN is acquired 1026 from the userthrough a keypad, mouse, touch screen or other input mechanism.Optionally, the Reader 108 receives 1028 a PIN sample from the PDK 102comprising a subset of data from the full PIN. For example, the PINsample can comprise the first and last digits of the PIN. If the Reader108 determines 1030 that the PIN sample does not match the input, theprofile is immediately determined to be invalid 1036. If the PIN samplematches, the full PIN profile is received 1032 from the PDK 102 andcompared to the input. If the Reader 108 determines 1034 that theprofile matches the input, the profile is determined to be valid and isotherwise invalid 1036. It is noted that in one embodiment, steps 1028and 1030 are skipped.

FIG. 10C illustrates a method 1000C for a picture authentication. If theReader 108 determines 1024 that picture authentication is requested, apicture profile is received 1044 from the PDK 102 by the Reader 108 anddisplayed 1046 on a screen. An administrator (e.g., a clerk, securityguard, etc.) is prompted 1048 to compare the displayed picture to theindividual and confirms or denies if the identities match. If theadministrator confirms that the identities match, the picture profile isdetermined to be valid 1064 and is otherwise invalid 1052. In analternative embodiment, the process is automated and the administratorinput is replaced with a process similar to that described above withreference to FIG. 10A. Here, an image of the user is captured and facerecognition is performed by comparing picture profile informationreceived from the PDK 102 to the captured image.

FIG. 10D illustrates a method 1000D for authentication with a privateregistry 116 a, 116 b or the Central Registry 114. If the Reader 108determines that registry authentication is requested, a securecommunication channel is established 1062 over the network 110 betweenthe Reader 108 and one or more registries (e.g., the Central Registry114, any private registry 116 a, 116 b, or other validation database112). If any additional information is needed to process the registryauthentication (e.g., an insurance policy number), the Reader 108requests and receives the additional information from the PDK 102.Identification information is transmitted 1064 from the Reader 108 tothe registry 114, 116 a, 116 b through the network interface 608. ThePDK status is received 1066 from the registry to determine 1068 if thestatus is valid 1072 or invalid 1070. In one embodiment, the informationis processed remotely at the registry 114, 116 a, 116 b and the registry114, 116 a, 116 b returns a validation decision to the Reader 108. Inanother embodiment, the Reader 108 queries the private 116 a, 116 b orCentral registry 114 for information that is returned to the Reader 108.The information is then analyzed by the Reader 108 and the authorizationdecision is made locally. In one embodiment, the process involvestransmitting credit card (or other purchasing information) to avalidation database 112 to authorize the purchase and receive the statusof the card. Status information may include, for example, confirmationthat the card is active and not reported lost or stolen and thatsufficient funds are present to execute the purchase.

FIGS. 11A and 11B illustrate scenarios where multiple PDKs 102 a-e arepresent near a Reader 108. This scenario is common when a Reader 108 islocated in a high occupancy area such as, for example, a hospital lobbyor waiting area. In FIG. 11A, the Reader 108 communicates with PDKs 102a-d within the proximity zone 1102 and does not communicate with PDKs102 e-f outside the proximity zone 1102. In one embodiment, the Reader108 receives the unique PDK ID from a PDK 102 when it enters theproximity zone 1102 and records its time of arrival. In one embodiment,the Reader 108 further initiates a device authentication of the PDK 102after a predefined period of time (e.g., 5 seconds) that the PDK 102 iswithin the proximity zone 1102. For profile authentication, the Reader108 automatically determines which PDK 102 should be associated with anauthentication test and the transaction. For example, if the Reader 108receives a biometric input 122 from an individual, the Reader 108automatically determines which PDK 102 a-d is associated with theindividual supplying the biometric input 122. In another embodiment, adifferent trigger is detected (e.g., a PIN input) to initiate thedifferentiation decision. In yet another embodiment, the differentiationdecision is initiated without any trigger. It is noted that in someembodiments, where no trigger is required (such as a registryauthentication), no differentiation decision is made and authenticationsare instead performed for each PDK 102 within the proximity zone 1102.

In one embodiment, the proximity zone 1102 is scalable, allowingmodification of the area in which the Reader 108 communicates with a PDK102. For example, the proximity zone 1102 of a Reader 108 may bemodified from 1 foot to 100 feet. In one embodiment, an administrator orother designated individual modifies the proximity zone 1102 of a Reader108. This allows the sensitivity of a Reader 108 to be modified based ondifferent operating environment. For example, in a healthcare providersetting, the proximity zone 1102 of a Reader 108 located in a doctor'soffice is smaller than the proximity zone 1102 of a Reader 108 locatedin an examination room to reduce the number of times that the Reader 108in the doctor's office attempts to authenticate a PDK 102.

Additionally, while FIG. 11A shows a proximity zone 1102 that issymmetrical, in other implementations, the proximity zone isdirectional. FIG. 11B shows a directional proximity zone 1104 where theReader 108 interacts with PDKs 102 a, 102 b in a specific location.Hence, in FIG. 11B the Reader 108 communicates with PDKs 102 a,b withinthe directional proximity zone 1104 and does not communicate with PDKs102 c-f outside the directional proximity zone 1104. In one embodiment,a Reader 108 has an initial configuration of a proximity zone 1102 thatextends 360 degrees around the Reader; however, the Reader 108 may bemodified from the initial configuration to focus the proximity zone intoa directional proximity zone 1104. For example, a directional antennamay be coupled to the Reader 108 to generate a directional proximityzone 1104.

FIG. 12 illustrates an embodiment of an authentication method 1200 forthe scenario where multiple PDKs 102 are present within a proximity zone1102 or directional proximity zone 1104 of a Reader 108. In a PDK dataaccumulation phase 1202, PDK data 1230 is accumulated and buffered inthe Reader 108 for any valid PDKs 102 that enter the proximity zone 1102or the directional proximity zone 1104. In one embodiment, theaccumulation phase 1202 begins for a PDK 102 after it has been withinthe proximity zone 1102, or directional proximity zone 1104, for apredetermined period of time. In one embodiment, the PDK dataaccumulation phase 1202 is similar to the steps 702-708 described abovein detail with reference to FIG. 7 for each PDK 102 a-d in the proximityzone 1102 or the directional proximity zone 1104.

As illustrated, the accumulated PDK data 1230 includes one or moredifferentiation metrics from each valid PDK 102 within range of theReader 108. The differentiation metrics can include any information thatcan be used by the Reader 108 to determine which PDK 102 should beassociated with the authentication and/or transaction request. Accordingto various embodiments, differentiation metrics can include one or moreof distance metrics 1232, location metrics 1234 and duration metrics1236.

In one embodiment, a distance metric 1232 indicates the relativedistance of a PDK 102 to the Reader 108. This information is usefulgiven that a PDK 102 having the shortest distance to the Reader 108 isgenerally more likely to be associated with a received authenticationtrigger (e.g., a biometric input, a PIN input or a transaction request).The distance metrics 1232 can include, for example, bit error rates,packet error rates and/or signal strength of the PDKs 102. Thesecommunication measurements can be obtained using a number ofconventional techniques that will be apparent to those of ordinary skillin the art. Generally, lower error rates and high signal strengthindicate the PDK 102 is closer to the Reader 108.

Location metrics 1234 can be used to determine a location of a PDK 102and to track movement of a PDK 102 throughout an area. This informationcan be useful in determining the intent of the PDK holder to execute atransaction. For example, a PDK holder that moves in a direct pathtowards a cashier and then stops in the vicinity of the cashier islikely ready to make a purchase (or may be waiting in line to make apurchase). On the other hand, if the PDK 102 moves back and forth fromthe vicinity of a cashier, that PDK holder is likely to be browsing andnot ready to make a purchase. Examples of systems for determininglocation metrics are described in more detail below with reference toFIGS. 13-14.

The differentiation metrics can also include duration metrics 1236 thattracks the relative duration a PDK 102 remains within the proximity zone1102 or within the directional proximity zone 1104. Generally, the PDK102 with the longest time duration within the proximity zone 1102, orthe proximity zone 1104, is most likely to be associated with theauthentication request. For example, if the Reader 108 is busyprocessing a purchasing transaction at a cashier and another PDK 102 hasa long duration within the proximity zone 1102 or the directionalproximity zone 1104, it is likely that the user is waiting in line tomake a purchase. In one embodiment, the Reader 108 tracks duration 1236by starting a timer associated with a PDK 102 when the PDK 102 entersthe proximity zone 1102, or the directional proximity zone 1104, andresetting the time to zero when the PDK 102 exists. As another example,the Reader 108 tracks the duration when a PDK 102 of a doctor enters theproximity zone of a patient's room. A long duration of the doctor's PDK102 within the proximity zone can provide evidence that the doctor isspending an adequate amount of time examining the patient. On the otherhand, a short duration of the doctor's PDK 102 within the proximity zonecan provide evidence that the doctor just merely stopped by and did notperform any thorough examination. This information is useful inmonitoring patient treatment and provider performance to help ensurequality patient care.

In one embodiment, the Reader 108 can also receive and buffer profilesamples 1238 prior to the start of a profile authentication instead ofduring the authentication process as described in FIGS. 10A-10B. In oneembodiment, the Reader 108 determines which types of biometric profilesamples 1238 to request based on, for example, the configuration of theReader 108, the type of transactions performed by the Reader 108, ormanual requests from a clerk, security guard, etc. In one embodiment,the PDK 102 transmits one or more of the requested sample types based onprofiles available in the PDK 102 and/or user preferences. In anotherembodiment, the PDK 102 transmits one or more samples 1238 it hasavailable and only samples that match the authentication typesconfigured for the Reader 108 are buffered. For example, if a Reader 108is configured for fingerprint authentication, a PDK 102 may transmitsamples 1238 for several different fingerprint profiles (eachcorresponding to a different finger, for example). It will be apparentto one of ordinary skill in the art that other variations are possibleto provide flexibility in both the configuration of the Reader 108 forvarious types of authentication and flexibility for the PDK owner todetermine which types of authentication to use.

Because profile samples 1238 only comprise a subset of the profileinformation, in one embodiment, the samples can be safely transmittedover a public channel without needing any encryption. In anotherembodiment, the profile samples 1238 are transmitted with at least somelevel of encryption. In yet another embodiment, some of the data istransmitted over a public communication channel and additional data istransmitted over a secure communication channel. In differentconfigurations, other types of profile information can be accumulated inadvance. For example, in one embodiment, a photograph from a pictureprofile can be obtained by the Reader 102 during the data accumulationphase 1202. By accumulating the profile sample 1238 or other additionalinformation in advance, the Reader 108 can complete the authenticationprocess more quickly because it does not wait to receive the informationduring authentication. This efficiency becomes increasingly important asthe number of PDKs 102 within the proximity zone 1102, or within thedirectional proximity zone 1104, at the time of the transaction becomeslarger.

The PDK accumulation phase 1202 continues until a trigger (e.g.,detection of a biometric input) is detected 1204 to initiate a profileauthentication process. If a biometric input is received, for example,the Reader 108 computes a mathematical representation or hash of theinput that can be compared to a biometric profile and computes one ormore input samples from the biometric input. It is noted that inalternative embodiments, the process can continue without any trigger.For example, in one embodiment, the transaction can be initiated when aPDK 102 reaches a predefined distance from the Reader 108 or when thePDK 102 remains within the proximity zone 1102, or within thedirectional proximity zone 1104, for a predetermined length of time.

The process then computes a differentiation decision 1206 to determinewhich PDK 102 a-d should be associated with the authentication. In oneembodiment, the Reader 108 computes a differentiation result for eachPDK 102 using one or more of the accumulated data fields 1230. Forexample, in one embodiment, the differentiation result is computed as alinear combination of weighted values representing one or more of thedifferentiation metrics. In another embodiment, a more complex functionis used. The differentiation results of each PDK 102 are compared and aPDK 102 is selected that is most likely to be associated with thetransaction.

In another embodiment, for example, in a photo authentication, thedifferentiation decision can be made manually by a clerk, securityguard, or other administrator that provides a manual input 1212. In suchan embodiment, a photograph from one or more PDKs 102 within theproximity zone 1102 or within the directional proximity zone 1104 can bepresented to the clerk, security guard, or other administrator on adisplay and he/she can select which individual to associate with thetransaction. In yet another configuration, the decision is madeautomatically by the Reader 108 but the clerk is given the option tooverride the decision.

An authentication test 1208 is initiated for the selected PDK 102. Theauthentication test 908 can include one or more of the methodsillustrated in FIGS. 10A-10D. Note that if profile samples 1238 areacquired in advance, they need not be acquired again in theauthentication steps of FIGS. 10A-10B. It is additionally noted that inone embodiment, the Reader 108 compares the profile samples 1238 of thePDKs 102 to the computed input sample until a match is found beforeperforming a full profile comparison. In one embodiment, the Reader 108first compares samples from the selected PDK 102 until a match is found.For example, a Reader 108 may have accumulated multiple fingerprintprofiles samples 1238 (e.g., corresponding to different fingers) for theselected PDK 102. The Reader 108 receives a fingerprint input from, forexample, the left index finger, computes the input sample, and does aquick comparison against the accumulated samples 1338 for the selectedPDK 102 to efficiently determine a matching profile. The Reader 108 thenperforms the full comparison using the matching profile. In analternative embodiment, the Reader 108 performs a comparison of a firstsample from each PDK 102 and if no match is found, performs comparisonsof second samples from each PDK 102. It will be apparent to one ofordinary skill in the art that samples can be compared in a variety ofother orders without departing from the scope of the invention.

If the authentication test 1208 indicates a valid profile, thetransaction is completed 1210 for the matching PDK 102. If theauthentication test 1208 determines the profile is invalid, a newdifferentiation decision 1206 is made to determine the next mostlylikely PDK 102 to be associated with the transaction. The processrepeats until a valid profile is found or all the PDKs 102 aredetermined to be invalid.

FIG. 13 illustrates an example system is illustrated for determining alocation metric 1234 of a PDK 102 using a coordinate triangulationtechnique. In one embodiment of coordinate triangulation, multipletransmitting devices (e.g., Readers 108 a-c) are spaced throughout anarea. In one embodiment, the Readers 108 a-care coupled by a network.Each Reader 108 a-c has a range 1304 and the ranges 1304 overlap. EachReader 108 a-c determines a distance D1-D3 between the Reader 108 andthe PDK 102. Distance may be estimated, for example, by monitoringsignal strength and/or bit error rate as previously described. Thenusing conventional trigonometry, an approximate location of the PDK 102can be calculated from D1-D3. Although only three transmitters areillustrated, it will be apparent that any number of transmitters can beused to sufficiently cover a desired area. Location information can becomputed at predetermined time intervals to track the movement of PDKs102 throughout a facility.

Another embodiment of location tracking is illustrated in FIG. 14. Here,transmitters 1402 having ranges 1404 are distributed throughout an area.The ranges 1404 can vary and can be overlapping or non-overlapping. Inthis embodiment, each transmitter 1402 can detect when a PDK 102 entersor exists its range boundaries 1404. By time-stamping the boundarycrossings, a location vector can be determined to track the PDK'smovement. For example, at a first time, t1, the PDK 102 is detectedwithin the range of transmitter 1402 a. At a second time, t2, the PDK102 is detected within the range of transmitter 1402 b. At a third time,t3, the PDK 102 is within the range of transmitter 1402 c and at afourth time, t4, the PDK 102 is within the range of transmitter 1402 d.Using the location and time information, approximate motion vectors, v1,v2, v3, and v4 can be computed to track the motion of the PDK 102without necessarily computing exact distance measurements.

FIG. 15 is a block diagram illustrating an embodiment of a trackingserver 210. The tracking server 210 enables real-time tracking ofindividuals, equipment and supplies by monitoring and storing locationinformation of individuals, equipment or supplies with associated PDKs102. For example, the tracking server 210 allows rapid location ofhealthcare providers in case of an emergency, allows monitoring ofpatient location to ensure timely administration of medications andallows constant monitoring of equipment or supply location to minimizesearch time and inventory surplus requirements. One embodiment of thetracking server 210 includes a location data retrieval module 1502 and alocation log 1504. In one embodiment, the location log 1504 is adatabase, such as a Structured Query Language (SQL) database.

In one embodiment, multiple Readers 108 are placed at certain and knownpositions throughout a facility. For example, a Reader is placed aboveeach doorway of every room and at every computing device 120. In anotherembodiment, Readers 108 are placed in a grid pattern throughout thefacility. In one embodiment, entities within the facility carry anassociated PDK 102 uniquely identifying the entity and PDKs 102 areattached to different pieces of equipment or supplies within thefacility. Example embodiments of a tracking system are described in U.S.patent application Ser. No. 11/939,451 to John Giobbi, et al., entitled“Tracking System Using Personal Digital Key Groups” and filed on Nov.13, 2007, the entire contents of which are incorporated herein byreference.

A flowchart illustrating one embodiment of a process 1600 for trackingof equipment and individuals is shown in FIG. 16A. When a PDK 102 comeswithin the range of a Reader 108, connection is authorized 1602 betweenthe RDC 504 of the Reader 108 and the PDK 102. In one embodiment, theRDC 504 continually transmits beacons that are detected by the PDK 102when it enters a proximity zone of the Reader 108. In an alternativeembodiment, the communication is instead initiated by the PDK 102 andacknowledged by the Reader 108. As shown in the previous FIG. 7, deviceauthentication is first performed and once the Reader 108 establishes ifthe PDK 102 is a valid device and PDK 102 establishes if the Reader 108is valid, connection can be authorized.

Once connection is authorized 1602, the Reader 108 retrieves 1604 thePDK 102 information, such as PDK ID 312 and other informationidentifying the owner or entity associated with the PDK 102. In oneembodiment, the reader ID 518 of the Reader 108 is sent to the PDK 102and stored in the activity log 390 of the PDK 102. The reader and PDKinformation is sent 1606 to the tracking server 210. The location dataretrieval module 1502 receives 1608 the information, including the PDKID 312. The information is updated 1610 in the location log 1604 of thetracking server 210.

In one embodiment, the location log data is retrieved by the computingdevice 120. In such embodiments, the computing device 120 displays thelocations of the individuals and equipment being tracked; thereforemaking it possible to locate anyone and any piece of equipment at anygiven moment. In some embodiments, the location log data is displayedgraphically, for example, with a map of the facility and indications onthe map identifying locations of tracked items and people. In otherembodiments, the location log data is displayed on the computing device120 with text describing the locations of the tracked items and people.

This process 1600 occurs whenever a PDK 102 enters the proximity zone ofeach Reader 108 that it passes enabling constant tracking and locationof individuals carrying PDKs 102 and equipment with affixed PDKs 102.FIG. 16B is a graphical representation illustrating an example wherepatient, provider and equipment tracking is provided within a healthcarefacility. Readers 1650 are located at various locations throughout thehealthcare facility to receive PDK information. Computing devices arealso equipped with readers 1652 for receiving PDK information. TheReaders 1650 and 1652 receive information from the provider PDKs 1654,patient PDKs 1656 and equipment PDKs 1658 enabling the location andtracking of providers, patients and equipment anywhere throughout thehealthcare facility.

FIG. 17 is a block diagram illustrating an embodiment of an auto loginserver 220. The auto login server 220 allows for automated electronicsigning on of providers into the healthcare computer system, thereforeeliminating the constant and time-consuming login and logout ofhealthcare providers such as doctors, nurses, physician assistants,medical technicians, and other caregivers. In one embodiment, providerscan utilize their PDKs 102 to automatically log in to the applicationsoftware system by simply approaching or entering the proximity zone ofa Reader 620 of a computing device 120. In such embodiments, no manualinput is necessary. The auto login server 220 includes a deviceauthentication module 1702, a data retrieval module 1704, a biometricauthentication module 1706, an access module 1708 and a credentialsdatabase 1710. In some embodiments the auto login server resides in thelocal services module 124. The auto login server includes input andoutput ports for receiving data from and sending data to one or moreReaders 108. The device authentication module 1702 is coupled to thebiometric authentication module 1706 and data retrieval module 1704. Thedata retrieval module is couple to communicate with the access module,which is further configured to send access authorization to readers 620,108 and computing device 120.

FIG. 18 is a flowchart illustrating one embodiment of a method 1800 forautomatic login of a user. When a user carrying or wearing a PDK 102comes within the range of a Reader 620 communicating with a computingdevice 120, communication is automatically established 1802 between theRDC 504 of the Reader 620 of a computing device 120. In one embodiment,the PDK 102 is incorporated into an identification badge of the user.Once communication with the PDK 102 is established, deviceauthentication is performed 1804.

In one embodiment, the device authentication module 1702 performs 1804device authentication. In another embodiment, the device authenticationis performed by the Reader 108 as described in step 704 of FIG. 7. Anexample embodiment of a method for performing 1804 device authenticationis illustrated in the previous FIG. 8. In one embodiment, the deviceauthentication is performed 1804 responsive to a user accessing anapplication 630 for execution by the computing device 120. For example,a user selects an application from a user bar or accesses an application730 using the operating system of the computing device 120.

Next, the device authentication module 1702 determines 1806 whether thePDK 102 is valid. If the PDK 102 is found to be invalid, connection isnot authorized 1816 and the process ends without the logging in of theuser.

In one embodiment, if the PDK 102 is found to be valid, the biometricauthentication module 1706 determines 1806 if biometric information isavailable. If biometric information is available, the biometricauthentication module 1706 performs 1810 biometric authentication. Inone embodiment, a provider provides biometric information by swipingtheir finger on a Reader 108 of the computing device 120. In anotherembodiment, the provider provides biometric information by entering aPIN number. In yet another embodiment, the provider provides biometricinformation be swiping their finger on the biometric reader 370 of thePDK 102. If biometric information is not available (the provider has notswiped his finger or entered a PIN number), connection is not authorized1820 and the process ends. If biometric information is available,biometric authentication is performed 1810. Example embodiments forperforming authentication, such as biometric authentication, aredescribed above in conjunction with FIGS. 10A-D.

In one embodiment, biometric authentication is performed 1810 responsiveto an accessed application requesting or requiring biometricauthentication. For example, responsive to a user accessing anapplication from an application menu of the computing device 120, thecomputing device 120 determines whether a biometric check is needed bythe accessed application. If a biometric check is needed by the accessedapplication, the computing device 120 communicates with the Reader 108to perform 1818 biometric authentication. In one embodiment, thecomputing device 120 or the application server 240 includes a databasespecifying whether or not an application performs a biometric check.

Once biometric authentication is performed 1810, or if no biometricauthentication is not needed, the data retrieval module 1704 of theregistration server 205 retrieves 1812 information from the PDK 102 ofthe user and the access module 1708 allows 1814 the user to access oneor more applications. For example, the user is allowed 1814 to accessone or more applications from the application server 240. In someembodiments where biometric authentication is not required, the accessmodule 1708 compares the received data with data stored in thecredentials database 1710 to allow or deny access.

In one embodiment, the data retrieval module 1704 identifies a serviceblock of a registry profile stored by the PDK 102 to the computingdevice 120, which identifies the service block to the Reader 108, whichretrieves 1812 data from the identified service block. For example, thedata retrieval module 1704 identifies a registry identifier to specify aservice block and the Reader 108 retrieves 1812 a record identifier anda key from the service block. The Reader 108 communicates the retrieved1812 record identifier and the key and a PDK ID to the applicationserver 240 in addition to a request to launch the accessed application.

In one embodiment, the accessed application 630 of the computing device120 communicates the data retrieved from the PDK 102 to the applicationserver 240, which communicates login credentials associated with theapplication 630 to the computing device 120. The computing device 120uses the login credential information access the application 630. Forexample, the application 630 communicates a PDK ID, a record identifierand a key retrieved form the PDK 102 to the application server 240,which identifies a login and password from the PDK ID, the recordidentifier and the key. The login and password are communicated from theapplication server 240 to the computing device 120, which uses the loginand password to launch the application 630. In another embodiment, theapplication 630 of the computing device 120 retrieves the logincredential information associated with the data retrieved form the PDK102 from the credentials database 320 to allow 1814 access to one ormore applications. Allowing 1814 access to one or more applications isfurther described below in conjunction with FIG. 19.

In some embodiments, provider identifying information is stored in thePDK 102. As long as connection is established (1816—Yes) (the provideris in the proximity zone of the reader 620 of the computing device 120),access is allowed 1814. If the provider steps outside the proximity zoneof the reader 620, connection is no longer established (1816—No) and theprovider is logged out 1818 of the application server 240. Those skilledin the art will recognize that depending on the level of authenticationdesired, the need for steps 1808 and 1810 may be omitted.

In some embodiments, various rules are applied. In one embodiment,biometric input is required for users who haven't logged in for anextended period of time. In one embodiment, the extended period of timeis eight hours. In another embodiment, the extended period of time istwenty four hours. In one embodiment, a secure screen saver is utilizedin place of a full login/logout procedure. In another embodiment, thesystem allows for multiple users to be simultaneously logged in to asingle workstation.

FIG. 19 is a flowchart of one embodiment of a method 1814 forautomatically allowing access to one or more applications. Initially, itis determined 1901 whether the computing device 120 is shared orprivate. A shared computing device 120 is able to be automaticallyaccessed by to users associated with a plurality of PDK IDs. A privatecomputing device 120 is able to be automatically accessed by a userassociated with a specific PDK ID. For example, a shared computingdevice 120 is included in a location where it is accessible by multipleusers, such as in a clinic room or examination room in a healthcarefacility for use by different healthcare providers, while a privatecomputing device 120 is included in a location where its accessible by aspecific user, such as in a doctor's office of a healthcare facility foruse by a doctor. In one embodiment, data included in the computingdevice 120 indicates whether the computing device 120 is shared orpublic.

In an alternative embodiment, rather than determine 1901 whether thecomputing device 120 is shared or private, the computing device 120determines whether a user associated with the PDK 102 is a shared useror a private user. When a PDK 102 associated with a shared usercommunicates with a Reader 620, the computing device 120 coupled to theReader 620 displays 1902 the user name of the user associated with thePDK 102, as further described below. Thus, if multiple PDKs 102associated with shared users are within the proximity zone of the Reader620, the computing device 120 communicating with the Reader 620 displaysuser names associated with the different shared users, and anapplication is not launched until one of the displayed user names isselected, as further described below. If a PDK 102 is associated with aprivate user, when the PDK 102 is within the proximity zone of theReader 620, the private user is logged into 1906 the application server240 without displaying one or more user names. Thus, when a PDK 102associated with a private user is within the proximity zone of a Reader620, the private user is logged into 1906 the application server 240, asfurther described below.

If the computing device 120 is shared, after biometric authentication isperformed 1810 and the data retrieval module 1704 of the registrationserver 205 retrieves 1812 information from the PDK 102 of the user, thecomputing device 120 displays 1902 a user name associated with theinformation from the PDK 102. In one embodiment, if multiple PDKs 102are within the proximity zone of the Reader 620, and the computingdevice 120 is shared, the computing device 120 displays 1902 user namesassociated with each of the PDKs 102 within the proximity zone of theReader 620.

The computing device 120 receives 1904 an input accessing the displayeduser name. If multiple user names are displayed 1902, the computingdevice 120 receives 1904 an input accessing one or the displayed usernames. The computing device 120 or the Reader 604 then logs into 1906the application server 240, or to the application 630, using credentialsassociated with the accessed user name. Using the credentials associatedwith the accessed user name, the computing device 120 launches 1908 oneor more applications associated with the accessed user name.

For example, the application server 240 associates two or moreapplications with the accessed user name, and responsive to thecomputing device 120 receiving 1904 an access to the user name, theapplication server 240 communicates data to the computing device 120 tolaunch 1908 the two or more applications associated with the accesseduser name. In one embodiment, the applications associated with the username are stored in the application server 240 as a scenario and a userspecifies a default scenario to identify applications that areautomatically launched 1908 when a user is automatically logged into acomputing device 120 using data stored on a PDK 102.

If the computing device 120 is private, after biometric authenticationis performed 1810 and the data retrieval module 1704 of the registrationserver 205 retrieves 1812 information from the PDK 102 of the user, thecomputing device 120 or the Reader 620 then logs into 1906 theapplication server 240, or to the application 630, using credentialsassociated with the accessed user name. Using the credentials associatedwith the accessed user name, the computing device 120 launches 1908 oneor more applications associated with the accessed user name. Hence, aprivate computing device 120 automatically launches 1908 one or moreapplications when the PDK 102 associated with a user authorized to usethe private computing device 120. For example, when the PDK 102associated with a doctor enters the proximity zone of the Reader 620associated with a computing device 120 in the doctor's office, thecomputing device 120 automatically launches one or more applicationsassociated with the doctor.

In addition to automatically launching one or more applications when aPDK 102 associated with a user is within a proximity zone of a readercoupled to a computing device 120, the auto login server 220 and/or theapplication server 240 allow a user to customize the one or moreapplications launched by the computing device 120. In some embodiments,the auto login server and/or the application server 240 also modify theone or more launched application responsive to user interaction withpreviously launched applications.

FIG. 20 illustrates one embodiment of a method 2000 for identifying oneor more applications automatically launched for a user when the user isproximate to a Reader 620. Initially, the auto login server 220determines whether one or more default applications are associated witha user identified from a PDK 102. A default application is automaticallylaunched when data from a PDK 102 authenticates a user to access acomputing device 120. In one embodiment, the auto login server 220determines 2002 whether one or more default applications are associatedwith a user and logs in 2004 to the application server 240 using logincredentials identified from the data received from the PDK 102.Alternatively, the application server 240 determines 2004 whether one ormore default applications are associated with the user.

If one or more default applications are associated with a user, theapplication server 240 launches 2006 the one or more defaultapplications by communicating data associated with the one or moredefault applications to a computing device 120 coupled to the Reader 620from which the auto login server 220 or the application server 240received data from the PDK 102. In one embodiment, the applicationserver 240 applies application-specific preferences when launching 2006a default application. For example, the application server 240associates an application location preference with a user, so that whena default application is launched 2006 the application locationpreference identifies a specific location within the default applicationthat is initially accessed. For example, the application server 240identifies a specific text entry region of an application and when theapplication is launched the specified text entry region is accessed,allowing a user to begin entering text data in the specified text entryregion without first selecting the text entry region. While describedabove in conjunction with default applications, in an embodiment theuser's application specific preferences are also applied when a usermanually launches an application, allowing the application server 240 toprovide increased user-customization to simplify application use.

After a default application is launched 2006, a user may manually close2012 the default application by interacting with the default applicationusing the computing device 120. When a user manually closes 2012 adefault application, the computing device 120 communicates data to theauto login server 220 and/or the application server indicating that thedefault application has been manually closed. The auto login server 220or the application server 240 stores 2014 data indicating that a defaultapplication has been manually closed. In one embodiment, when a userlogs out of the computing device 120 and does not exit the proximityzone of the Reader 620 coupled to the computing device 120 aftermanually closing the default application, the manually closed defaultapplication is not automatically launched 2006 when the user again logsinto the computing device 120. For example, if a user logs off of thecomputing device 120 after manually closing a first default applicationand does not exit the proximity zone of the Reader 620, when the useragain logs in to the computing device 120, based on the stored data, theauto login server 220 or the application server 240 does notautomatically launch the first default application. However, once theuser leaves the proximity zone of the Reader 620 after manually closingthe first default application, once the user re-enters the proximityzone of the Reader 620 and logs into the computing device 120, the autologin server 220 or the application server 240 again automaticallylaunches 2004 the first default application.

If a user manually closes each default application associated with theuser, the application server 240 communicates data to the computingdevice 120 indicating that no applications are executing, causing thecomputing device 120 to initiate 2210 an idle state where the user islogged into the computing device 120 and to the application server 240,allowing the user to manually launch one or more applications from thecomputing device 120.

However, if no default applications are associated with a user, theapplication server 240 communicates with the computing device 120coupled to the Reader 620 from which the auto login server 220 or theapplication server 240 received data from the PDK 102 to initiate 2010an idle state. In one embodiment, the application server 240communicates data to the computing device 120 indicating that noapplications are executing, causing the computing device 120 to initiate2210 the idle state.

The Reader 620 and PDK 102 may also be used to lock a computing device120 coupled to the Reader 620 in addition to limiting use of thecomputing device 120. For example, the Reader 620 and PDK 102 may beused to limit execution of certain applications using the computingdevice 120 while allowing users to use other applications locally storedon the computing device 120. For example, the PDK 102 and Reader 620 areused to limit the users permitted to execute a set of healthcareapplications, such as a patient record editor, while additional usersmay freely access a web browser included on the computing device 120.However, in some embodiments, it is desirable to further limit use ofthe computing device 120 so that users are unable to access applicationsusing the computing device 120 unless a valid PDK 102 associated withthe user is in the proximity zone of a Reader 620 coupled to thecomputing device 120.

FIG. 21 describes one embodiment of a method for locking a computingdevice 120 using a Reader 620 coupled to the computing device 120 and aPDK 102. Responsive to a PDK 120 leaving the proximity zone associatedwith a Reader 620, the Reader 620 communicates data to the computingdevice 120 and to the application server 240 to close 2104 applicationscurrently running on the computing device 120. In one embodiment, thedata communicated from the Reader 620 to the application server 240 logsthe user associated with the PDK 102 out of the application server 240.By closing 2104 applications executed by the application server 240 andby the computing device 120 when a PDK 102 leaves the proximity zone ofthe Reader 620, the security of the computing device 120 is increased.

Responsive to data from the Reader 620 indicating the PDK 102 has leftthe proximity zone of the Reader 620, after closing 2104 openapplications, the computing device 120 locks 2106 its display device andinitiates an access tracking process. In one embodiment, when thedisplay device 618 is locked 2104, a predefined image is displayed onthe display device 618, such as a logo or other image associated withthe location where the computing device 120 is located. Alternatively,when the display device 618 is locked 2104, the display device 2104 doesnot display an image or is a blank screen. The access tracking processis computer-readable data stored in the storage device 608 or the memory606 of the computing device 120 that, when executed by the processor602, monitors the keyboard 610, the pointing device 614 or otherinput/output devices of the computing device 120 for inputs. In oneembodiment, the access tracking process unlocks the display device 618responsive to identifying an input received by an input/output device120. However, until the access tracking process identifies an inputreceived by an input/output device 120, the display 618 is locked 2104,as further described above.

In one embodiment, the computing device 120 receives 2108 one or moreadvertisements and displays 2110 the one or more advertisements when thedisplay device 618 is locked rather than displaying a fixed image orblanking the display device 618. For example, the computing device 120includes one or more advertisements in its storage device 608 anddisplays 2110 the one or more advertisements when the display device 618is locked. In one embodiment, the computing device 120 alternates theadvertisements displayed 2110 at different time intervals, allowingdifferent advertisements to be displayed 2110 while the display device618 is locked. In an alternative embodiment, the computing device 120receives 2108 the one or more advertisements from a third party site 140or from the application server 240 and displays 2110 one or more of thereceived advertisements while the display device 618 is locked 2106. Inone embodiment, the application server 240 or the third party site 140receives data from the computing device 120 and modifies theadvertisements received 2108 by the computing device 120 responsive tothe data received from the computing device 120. For example, the thirdparty site 140 or the application server 240 receives data from thecomputing device 120 associated with a user or patient whose informationhas been recently accessed by the computing device 120. The computingdevice 120 then receives 2108 advertisements from third party site 140or the application server 240 associated with the user or patientinformation. This allows the computing device 120 to display 2110advertisements relevant to the recently accessed user or patient whenthe display device 618 is locked.

FIG. 22 is a graphical representation of one embodiment of automaticlogin of users. In this illustration, the user is a healthcare provider2252 with a unique identifying PDK. When the healthcare provider 2252having its associated PCK enters a patient's room and walks up to acomputing device 2254, the reader of the computing device 2154 retrievesinformation from the provider's 2252 PDK and automatically logs theprovider 2252 into the software system.

If PDKs 2256, 2258 are also used to identify the patient and equipmentin the patient's room, the reader of the computing device 2254 alsoretrieves information from those PDKs 2256, 2258. In one embodiment, thecomputing device displays user names associated with the PDKs 2256, 2258as well as a user name associated with the healthcare provider 2252 andthe healthcare provider 2252 selects the appropriate user name to log into the computing device. One or more default applications are thenlaunched by the computing device for access by the healthcare provider2252.

FIG. 23 is a block diagram illustrating an embodiment of a portal server230. The portal 230 provides a consistent interface to the third partysite 140. Such services may include receiving advertisement data,accessing a patient's virtual database records or insurance informationor sending prescription requests to remote pharmacies. The portal server240 includes a remote services communication module 2302 and a remoteservices identifier module 2304.

FIG. 24 is a flowchart illustrating one embodiment of a method 2400 forcommunicating with remote services provided by a third party site 140.The remote services communication module 2302 receives 2402 a requestfrom a computing device 120 to access one or more services, or data,provide by the third party site 140. The remote services identifiermodule 2304 identifies 2404 which remote service to contact. Forexample, if the request includes insurance information as well aspayment information, the remote services identifier module 2304determines that the request from the computing device 120 needs to becommunicated to a particular third party site 140.

A determination is then made to determine whether the requested remoteservice or data is available 2406. If the remote service is notavailable (2406—No), then a connection to the third party site 140 isnot established. In some embodiments, an error message is sent to thecomputing device 120 with a notification of the unavailability of therequested remote service. If the remote service is available (2406—Yes),communication with an appropriate third party site 140 is established.

FIG. 25 is a flow chart of one embodiment of a method 2500 initiallystoring data on a PDK 102 during an initialization or registrationprocess. In the example of FIG. 25, a PDK 102 is initialized using acomputing device 120. Additionally, the initial configuration and datastorage of the PDK 102 is witnessed and authenticated by a specializedtrusted Notary. In one embodiment, the Notary is associated with aNotary PDK. For example, the computing device 120 includes dataidentifying PDK IDs associated with one or more notaries.

In one embodiment, the computing device 120 initially identifies 2502one or more Notaries to witness PDK 102 initialization. For example, auser associated with a master PDK accesses the computing device 120 andidentifies one or more PDK identifiers associated with one or moreNotaries. Only a user associated with the master PDK 102 is permitted toidentify 2102 PDK IDs associated with one or more Notaries. For example,a user associated with a Master PDK 102 identifies one or more PDK IDsassociated with Notaries, allowing the computing device 120 to locateNotaries by comparing PDK IDs from a Reader 620 to the Notary PDK IDsidentified by the Master PDK.

After a Notary is identified 2502, the computing device 120 establishes2504 communication with the PDK 102 to be initialized and establishes2504 communication with a PDK 102 associated with a Notary, as furtherdescribed above. The computing device 102 receives information from thePDK 102 to be initialized to determine if the PDK 102 to be initializedis authorized for initialization and also receives information from thePDK 102 associated with the Notary to determine if the Notary isauthorized to perform the initialization. If both the PDK 102 to beinitialized and the PDK 102 associated with the Notary are authorized toperform the initialization, the computing device 120 receives 2508biometric data from a user associated with the PDK 102 to beinitialized. The Notary witnesses the receipt 2508 of biometric data bythe computing device 120, either in person or remotely, to ensure thatthe received biometric data is trustworthy. The computing device 120then stores 2510 the received biometric data. In one embodiment, thecomputing device 120 communicates the biometric data to the PDK 102 tobe initialized for storage and also locally stores 2510 the biometricdata. In another embodiment, the computing device 120 communicates thereceived biometric data to a central registry 114 or a private registry116 for storage along with the ID of the PDK 102 to be initialized. Forexample, the central registry 114 or a private registry 116 includes aPDK ID of the PDK 102 to be initialized, biometric data associated withthe PDK ID of the PDK 102 to be initialized and other user dataassociated with the PDK ID of the PDK 102 to be initialized.

FIG. 26 shows an example user interface 2600 for configuring userinformation associated with a PDK 102. In one embodiment, the userinterface 2600 is displayed by a computing device 120 that is used toinitialize a PDK 102. The user interface 2600 includes a userconfiguration region having a user identifier editor 2602, a user typeeditor 2604 and a PDK ID editor 2606. Interacting with the useridentifier editor 2602, the user type editor 2604 and the PDK ID editor2606 allows a user, such as an administrator, to specify a useridentifier associated with a PDK ID and to associate a user type withthe user name and with the associated PDK ID. In one embodiment, theuser type editor 2604 allows a user to select from a predefined listingof user types. For example, the user type editor 2604 allows a user tospecify whether a user identifier is associated with a general user,with an administrator or with a Notary. Depending on the user type, thefunctionality of a user is modified. For example, a user identifierassociated with an administrator is able to modify execution ofdifferent applications or customize application execution for otherusers while a user identifier associated with a Notary is authorized toauthenticate the accuracy of biometric data received by the computingdevice 120.

Additionally, the user interface 2600 includes a user data summary 2610that displays data associated with a user identifier, such as contactinformation for the user, a job title for the user and a listing ofgroups to which the user belongs. In one embodiment, a user accesses theuser data summary 2610 to identify one or more groups to which the userbelongs. A biometric data summary 2608 is also displayed to identify thetype of biometric data associated with a user and allowing a Notary tomodify the biometric data by interacting with the biometric datasummary. For example, a Notary may access the biometric data summary2608 to obtain a different type of biometric data associated with theuser.

FIG. 27 shows an example user interface 2700 for configuring assetinformation associated with a PDK 102. While FIG. 26 describesconfiguration of a user, such as an individual, associated with a PDK102, FIG. 27 describes configuration of information associated with anasset, such as equipment or supplies, associated with a PDK 102. In oneembodiment, the user interface 2700 is displayed by a computing device120 that is used to initialize a PDK 102. The user interface 2700includes an asset configuration region having an asset identifier editor2702, an asset type editor 2704 and a PDK ID editor 2706. Interactingwith the asset identifier editor 2702, the asset type editor 2704 andthe PDK ID editor 2706 allows a user, such as an administrator, tospecify a user identifier associated with a PDK ID and to associate auser type with the user name and with the associated PDK ID. In oneembodiment, the asset type editor 2704 allows a user to select from apredefined listing of user types. For example, the asset type editor2704 allows a user to specify whether an asset identifier is associatedwith a general asset, with an administrator or with a Notary. Dependingon the asset type, the functionality of an asset is modified, asdescribed above in conjunction with FIG. 26.

Additionally, the user interface 2700 includes an asset data summary2708 that displays data associated with an asset identifier, such as anasset name, an asset description, an asset location, an asset category,an asset service data or other data describing attributes of the asset.In one embodiment, a user accesses the asset data summary 2708 toidentify one or more groups to which the user belongs.

In addition to interacting with a user data summary 2610 or an assetdata summary 2708 to associate users or assets with a group, one or moreuser interfaces may be used to automatically or manually associate useridentifiers or asset identifiers with one or more groups. FIG. 28illustrates an example user interface 2800 allowing a user to manuallyidentify members, such as users and/or assets, included in a group. Theuser interface 2800 includes a group description 2802 allowing a user toidentify a group type, specify a group name and to modify the group nameor group type.

A member selection region 2804 identifies users and/or assets includedin a central registry 114 and/or a private registry 116 using a userlisting 2806 and identifies users and/or assets included in the groupidentified by the group description 2802 using a member listing 2808. Inone embodiment, a user selects a user identifier, or an assetidentifier, from the user listing 2806 and accesses a group modificationregion 2810, causing the selected user identifier or asset identifier tobe included in the group identified by the group description 2802. Oncethe group modification region 2810 is accessed, the selected groupidentifier, or asset identifier, is displayed in the member listing 2808rather than in the user listing 2806. Similarly, a user selects a useridentifier, or an asset identifier, from the member listing 2808 andaccesses a group modification region 2810 to remove the selected useridentifier, or asset identifier, from the group identified by the groupdescription 2802.

FIG. 29 illustrates an example user interface 2900 allowing a user toautomatically include users and/or assets in a group based on one ormore criteria. The user interface 2900 includes a group description 2802allowing a user to identify a group type, specify a group name and tomodify the group name or group type.

A rule specification region 2904 receives input identifying one or morerules for identifying users and/or assets for inclusion in a group. Forexample, the rule specification region 2904 receives rules for includinga user or asset in the group identified by the group description 2802.In one embodiment, the rule specification region 2904 receives inputidentifying values for one or more fields associated with a user, or anasset, and a user or asset including fields matching the valuesidentified by the rules is automatically associated with the groupidentified in the group description 2802. In the example shown by FIG.29, the rule specification region 2904 allows a user to specifycombinations of fields and values associated with the fields tocustomize the users or assets included in the group. For example, a rulemay include logical operators, such as “AND” or “OR,” to describecombinations of values and/or fields.

FIG. 30 is an example of a user interface 3000 for tracking a user orasset associated with a PDK 102 from a computing device 120. The userinterface 3000 receives input from a user to identify a user or asset tobe tracked by the tracking server 210. In the example of FIG. 30, theuser interface 3000 includes a quick search interface 3002 and anadvanced search interface 3004 as well as a result listing 3006.

The quick search interface 3002 receives input from a user forperforming simple searches based on a limited amount of data associatedwith a user or an asset. For example, the quick search interface 3002receives input identifying a name, a title, a description or a locationof a user or an asset and identifies the user or asset matching thereceived input. The quick search interface 3002 also allowsspecification of a group identifier to retrieve assets or users includedin the specified group.

The advanced search interface 3004 receives input for performingadvanced searches based on multiple data associated with a user or anasset or based on combinations of data associated with a user or anasset. In one embodiment, the advanced search interface 3004 receivesinput identifying values for one or more fields associated with a useror an asset that are used to identify one or more users or assetsincluding fields having values matching those identified by the values,or combination of values, received by the advanced search interface3004. In the example shown by FIG. 30, the advanced search interface3004 allows a user to specify combinations of fields and valuesassociated with the fields to identify assets or values. For example,the advanced search interface 2004 receives input identifying values formultiple fields and logical operators describing a number of values fordifferent fields. For example, the advanced search interface 3004 allowsvalues for fields to be combined using logical operators, such as “AND”or “OR,” to describe combinations of values and/or fields.

The result listing 3006 displays data associated with users or assetsthat match the search criteria received by the quick search interface3002 or the advanced search interface 3004. For example, the resultlisting 3006 displays a name, a title, a description, a floor plan and alocation associated with different assets or users matching the searchcriteria. In one embodiment, the result listing 3006 receives inputselecting one or more of the search results and a tracking input 3008causes the tracking server 210 to monitor the location of the assets orusers selected via the result listing 3006. In one embodiment, a firstinput received by the tracking input 3008 causes the tracking server 210to track the selected assets or users while a second input received bythe tracking input 3008 causes the tracking server 210 to track each ofthe assets or users identified by the result listing 3006.

FIG. 31 is an example of a user interface 3100 for identifying thelocation of a tracked user or asset associated with a PDK 102 from acomputing device 120. The user interface 3100 displays data from thetracking server 210 indicating the location of one or more assets orusers tracked by the tracking server 210. In the example of FIG. 30, theuser interface 3100 includes a tracked item listing 3102, a navigationinterface 3104, an item location selector 3106 and a primary itemselector 3108.

The tracked item listing 3102 displays an item identifier associatedwith users or assets tracked by the tracking server 210. For example,the tracked item listing 3102 displays a user name or asset nameassociated with the tracked items. In one embodiment, the tracked itemlisting 3102 receives input selecting a user or asset and a subsequentinput received by the item location selector 3106 or the primary itemselector 3108 modifies the user interface 310. Items included in thetracked item listing 3102 may be manually identified by user input ormay be automatically included based on one or more criteria of a user oran asset.

After selecting a user or asset form the tracked item listing 3102, aninput received by the item location selector 3106 causes the userinterface 3100 to visually distinguish the location of the selected itemin the navigation interface 3104. For example, the navigation interface3104 visually distinguishes the selected item from other tracked itemsresponsive to the item location selector 3106. In the example of FIG.31, the navigation interface 3104 modifies the color used to display theselected item and displays rings around the selected item responsive tothe item location selector 3106 receiving an input.

After selecting a user or asset form the tracked item listing 3102, aninput received by the primary item selector 3108 causes the userinterface 3100 to make the selected item the primary item so that thenavigation interface 3104 is modified to keep the selected item visible.For example, the navigation interface 3104 scrolls as the primary itemmoves to keep the primary item visible in the navigation interface 3104.Additionally, the navigation interface 3104 may visually differentiatethe primary item from other tracked items by changing the color used todisplay the primary item or otherwise modifying the presentation of theprimary item relative to other tracked items.

The navigation interface 3104 displays the location of the itemsidentified in the tracked item listing 3102 in a graphicalrepresentation of the environment including the tracked items. Forexample, the navigation interface 3104 displays a floor plan of anenvironment including the tracked items with the location of the trackeditems overlaid on the floor plan. In one embodiment, the navigationinterface 3104 includes navigation controls allowing a user to zoom inor out of the graphical representation of the environment including thetracked items or to pan across the graphical representation of theenvironment including the tracked items. The navigation interface 3104may also include a selector allowing modification of the graphicalrepresentation of the environment including the tracked items. Forexample, the navigation interface 3104 allows modification of the floorplan on which the positions of the tracked items are overlaid.

In one embodiment, the navigation interface 3104 also displays one ormore alert notifications 3110 associated with tracked items. An alertnotification 3110 is displayed responsive to a tracked item meeting oneor more criteria. For example, an alert notification 3110 is displayedwhen the tracking server 310 receives data from a PDK 102 indicatingthat the temperature proximate to an asset or a user is within aspecified range. The alert notification 3110 visually differentiates theitem meeting the criteria from other tracked items. In one embodiment,the alert notification 3110 displays a text message describing thealert. A user interface, such as the one described below in conjunctionwith FIG. 32, allows customization of the criteria that cause display ofan alert notification 3110.

FIG. 32 is an example of a user interface 3200 for specifying generationof an alert for an asset or user tracked by the tracking server 210. Theuser interface 3200 includes a current alert listing 3202 and an alerteditor 3204. In one embodiment, data received by the user interface 3200is communicated to the alert server 250, which generates alertsresponsive to the received data. The current alert listing 3202identifies alerts which are applied by the alert server 250 to datareceived from the tracking server 210 and/or from one or more PDKs 102.For example, the current alert listing 3202 displays an alert identifierand a description of the alerts currently being monitored by the alertserver 250. The current alert listing 3202 also receives input stoppingthe alert server 250 from applying an alert to received data. Also, thecurrent alert listing 3202 receives input for creating a new alert forapplication by the alert server 250.

The alert editor 3204 receives input for specifying a new alert or formodifying attributes of an existing alert. For example, the alert editor3204 receives data identifying the source of data for which the alertserver 250 applies the alert, such as from the tracking server 210, froma PDK 102 or from a Reader 108 or other sensor. The alert editor 3204also receives data specifying the criteria causing an alert to begenerated. For example, the alert editor 3204 receives data specifying atemperature range so that an alert is generated when the alert server250 receives data from a source indicating the temperature is within thespecified range.

The alert editor 3204 also receives data specifying how the alert server250 notifies a user that an alert is generated. In one embodiment, thealert editor 3204 receives data identifying one or more communicationprotocols and contact information used to communicate an alertnotification to a user. For example, the alert editor 3204 receives auser telephone number and e-mail address associated with a user,allowing the user to receive notification of an alert via a telephonecall, a text message and/or an e-mail. In one embodiment, the alerteditor 3204 associates a priority level to be associated with differentcommunication protocols to allow a user to specify how the user isnotified when an alert is generated. For example, the alert editor 3204associates a first communication protocol with a first priority leveland if the tracking server 210 does not receive a response within aspecified time interval after notifying a user of an alert, a secondcommunication protocol having a second priority level is used to againnotify the user of the alert.

FIG. 33 is an example of a user interface 3300 for describing reportsgenerated by data received from the tracking server 210 describingmovement of assets or users. The user interface 3300 includes a currentreport listing 3302 and a report editor 3304. The current report listing3302 identifies reports which are generated by the tracking server 210based on data received from PDKs 102 or other sources. For example, thecurrent report listing 3302 displays a report identifier and adescription of the reports being generated by the tracking server 210.The current report listing 3302 also receives input stopping thegeneration of a report by the tracking server 210 from received data.Also, the current report listing 3302 receives input for creating a newreport for generation by the tracking server 210 or for editing a reportgenerated by the tracking server 210.

The report editor 3304 receives input for specifying a new report forgeneration or for modifying a currently generated report. For example,the report editor 3304 receives data identifying a type of report, a PDK102 from which data for the report is received, one or more locationsfrom which data included in the report is received, a time intervalassociated with the report and a description of data included in thegenerated report. For example, the report editor 3304 receives dataindicating that the report includes the number of PDKs 102 visiting alocation, the total number of locations visited by a PDK 102, the lengthof time a PDK 102 was in a location or other suitable data. In oneembodiment, the report editor 3304 also receives data describing how thecontent included in the report is presented.

The foregoing description of the embodiments of the present embodimentof invention has been presented for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit the presentembodiment of invention to the precise form disclosed. Manymodifications and variations are possible in light of the aboveteaching. It is intended that the scope of the present embodiment ofinvention be limited not by this detailed description, but rather by theclaims of this application. As will be understood by those familiar withthe art, the present embodiment of invention may be embodied in otherspecific forms without departing from the spirit or essentialcharacteristics thereof. Likewise, the particular naming and division ofthe modules, routines, features, attributes, methodologies and otheraspects are not mandatory or significant, and the mechanisms thatimplement the present embodiment of invention or its features may havedifferent names, divisions and/or formats. Furthermore, as will beapparent to one of ordinary skill in the relevant art, the modules,routines, features, attributes, methodologies and other aspects of thepresent embodiment of invention can be implemented as software,hardware, firmware or any combination of the three. Also, wherever acomponent, an example of which is a module, of the present embodiment ofinvention is implemented as software, the component can be implementedas a standalone program, as part of a larger program, as a plurality ofseparate programs, as a statically or dynamically linked library, as akernel loadable module, as a device driver, and/or in every and anyother way known now or in the future to those of ordinary skill in theart of computer programming. Additionally, the present embodiment ofinvention is in no way limited to implementation in any specificprogramming language, or for any specific operating system orenvironment. Accordingly, the disclosure of the present embodiment ofinvention is intended to be illustrative, but not limiting, of the scopeof the present embodiment of invention, which is set forth in thefollowing claims.

What is claimed is:
 1. A system comprising: one or more processors; anda memory including instructions that, when executed by the one or moreprocessors, causes the system to: determine whether a computing deviceis physically shared or physically private based on a physical locationassociated with the computing device; determine that the computingdevice is a physically shared computing device; determine one or moreprerequisites for accessing the computing device based on whether thecomputing device is physically shared or physically private, one or moreprerequisites for accessing a physically private computing device havingat least one prerequisite differing from one or more prerequisites foraccessing the physically shared computing device, wherein the one ormore prerequisites for accessing the physically shared computing deviceinclude biometric authentication and selection of a user name; receive afirst profile when a first personal digital key (PDK) is within awireless proximity zone associated with the computing device, the firstprofile stored on the first PDK, the first PDK uniquely associated witha first user; receive a second profile from a second PDK, the second PDKuniquely associated with a second user and within the wireless proximityzone at the same time as the first PDK; subsequent to biometricauthentication of the first user, identify a first user name associatedwith the first profile received from the first PDK; subsequent tobiometric authentication of the second user, identify a second user nameassociated with the second profile received from the second PDK; receivethe first user name as a selected user name from a group including thefirst user name and the second user name; determine one or moreapplications for launch based on the first profile, the first profileassociated with the selected user name; subsequent to receiving theselected user name and subsequent to biometric authentication of thefirst user, launch the one or more applications based on the firstprofile when the selected user name is the first user name, wherein thebiometric authentication of the first user and selection of the firstuser name satisfy the prerequisites for accessing the physically sharedcomputing device.
 2. The system of claim 1, wherein one or more of thefirst profile and the second profile includes a username.
 3. The systemof claim 1, wherein the biometric authentication includes obtaining,from a user, a physical or behavioral characteristics identifying theuser using a biometric reader included in the PDK or associated with thecomputing device and authenticating the user based on the physical orbehavioral characteristic.
 4. The system of claim 3, wherein thebiometric reader is at least one of a fingerprint scanner, a retinalscanner, an iris scanner, a face scanner, a palm scanner, a DNAanalyzer, a signature analyzer or a voice analyzer.
 5. The system ofclaim 1, wherein determining the one or more applications for launchincludes determining, based on the first profile, a default scenariodefining the one or more applications, wherein the one or moreapplications launched are launched automatically subsequent to thecompletion of the one or more prerequisites and without additional useraction.
 6. The system of claim 1, wherein determining the one or moreapplications for launch includes determining, based on the firstprofile, a default scenario defining the one or more applications,wherein the one or more applications launched are launched automaticallysubsequent to the completion of the one or more prerequisites andwithout additional user action, and wherein a user manually closing anapplication defined by the default scenario causes that application tono longer automatically launch as part of the default scenario.
 7. Thesystem of claim 1, wherein determining the one or more applications forlaunch includes determining, based on the first profile, a defaultscenario defining the one or more applications, wherein the one or moreapplications launched are launched automatically subsequent to thecompletion of the one or more prerequisites and without additional useraction, and wherein a user manually closing an application defined bythe default scenario causes that application to no longer automaticallylaunch unless the first PDK exits and re-enters the wireless proximityzone.
 8. The system of claim 1, wherein the instructions, when executed,by the one or more processors, further cause the system to automaticallynavigate to one or more of a specific user interface of a launchedapplication and a specific location within a user interface of thelaunched application based on a location preference, the launchedapplication being one of the one or more applications launched based onthe first profile stored on the first PDK.
 9. The system of claim 8,wherein the specific location within a user interface of the launchedapplication based on a location preference is a text entry region. 10.The system of claim 1, wherein at least one of the one or moreapplications is an application whose execution is limited to one or morepermitted users.
 11. The system of claim 1, wherein the instructions,when executed, by the one or more processors, further cause the systemto compare the first profile with data stored in a credentials database.12. The system of claim 1, wherein the instructions, when executed, bythe one or more processors, further cause the system to request thefirst profile subsequent to detection of the first PDK entering thewireless proximity zone.
 13. The system of claim 1, wherein the wirelessproximity zone is asymmetric in a first direction.
 14. The system ofclaim 1, wherein the instructions, when executed, by the one or moreprocessors, further cause the system to lock a display device of thecomputing device responsive to receiving a signal that the first PDK isoutside of the wireless proximity zone.
 15. The system of claim 12,wherein the instructions, when executed, by the one or more processors,further cause the system to display advertisements received from a thirdparty site, the advertisements displayed using the display device whenthe display device is locked.
 16. The system of claim 15, wherein thethird party site identifies the one or more advertisements based on datareceived from the computing device.
 17. A method comprising: determiningwhether a computing device is physically shared or physically privatebased on a physical location associated with the computing device;determining that the computing device is a physically shared computingdevice; determining one or more prerequisites for accessing thecomputing device based on whether the computing device is physicallyshared or physically private, one or more prerequisites for accessing aphysically private computing device having at least one prerequisitediffering from one or more prerequisites for accessing a physicallyshared computing device, wherein the one or more prerequisites foraccessing the physically shared computing device include biometricauthentication and selection of a user name; receiving a first profilewhen a first personal digital key (PDK) is within a wireless proximityzone associated with the computing device, the first profile stored onthe first PDK, the first PDK uniquely associated with a first user;receiving a second profile from a second PDK, the second PDK uniquelyassociated with a second user and within the wireless proximity zone atthe same time as the first PDK; subsequent to biometric authenticationof the first user, identifying a first user name associated with thefirst profile received from the first PDK; subsequent to biometricauthentication of the second user, identifying a second user nameassociated with the second profile received from the second PDK;receiving the first user name as a selected user name from a groupincluding the first user name and the second user name; determining oneor more applications for launch based on the first profile, the firstprofile associated with the selected user name; subsequent to receivingthe selected user name and subsequent to biometric authentication of thefirst user, launching the one or more applications based on the firstprofile when the selected user name is the first user name, wherein thebiometric authentication of the first user and selection of the firstuser name satisfy the prerequisites for accessing the physically sharedcomputing device.
 18. The method of claim 17, wherein the biometricauthentication includes using biometric data received from at least oneof a fingerprint scanner, a retinal scanner, an iris scanner, a facescanner, a palm scanner, a DNA analyzer, a signature analyzer or a voiceanalyzer.
 19. The method of claim 17, wherein the biometricauthentication includes obtaining, from a user, a physical or behavioralcharacteristics identifying the user using a biometric reader includedin the PDK or associated with the computing device and authenticatingthe user based on the physical or behavioral characteristic.
 20. Themethod of claim 17, wherein determining the one or more applications forlaunch includes determining, based on the first profile, a defaultscenario defining the one or more applications, wherein the one or moreapplications launched are launched automatically subsequent to thecompletion of the one or more prerequisites and without additional useraction.